Setup L2TP / IPSec VPN on Windows Server 2016

Following tutorial shows how to setup Windows Server 2016 (single NIC, behind NAT/Firewall) as a L2TP / IPSec VPN Server.

Install Remote Access Role

  • Open Server Manager > Manage > Add Roles and Features and add Remote Access role.
  • On Role Services screen choose only DirectAccess and VPN (RAS).

Enable and Configure Routing and Remote Access

  • Open Server Manager > Tools > Routing and Remote Access
  • Right click on server name and choose Configure Routing and Remote Access.
    • Follow the wizard and choose options Custom Configuration and VPN Access.
  • Right click on server name and choose Properties.
    • General: Leave default settings
    • Security: select "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter your chosen Preshared key.
    • IPv4: Leave default settings (if you have existing DHCP server)
    • Settings in other tabs can left as they are.

Create Active Directory VPN Group

  • Open Active Directory Users and Computers.
  • Create a new security group and add all users that will have permission to connect via VPN.

Create and Configure Remote Access Policy

  • Open  Server Manager > Tools Network Policy Server
  • Open Policies, right click on Network Policies and click on New
  • Configure as follows:
    • Policy name: Allow VPN Access
    • Type of Network Access Server: Remote Access Server (VPN-Dial up)
    • Conditions > Add > Users Groups. Add VPN Users group you created in previously.
    • Specify Access Permission: Access Granted
    • EAP Types: Add Microsoft: Secured password (EAP-MSCHAP v2)
    • Constraints: Setup as required...
    • Complete rest of the wizard and move the policy up to Processing Order: 1

Make registry changes to allow L2TP behind NAT

This registry change needs to be done on the VPN server and all Windows VPN clients:

  • Open regedit.exe
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  • Create a new DWORD 32 type value:
    • NameAssumeUDPEncapsulationContextOnSendRule
    • Data2
      0 - No connection to servers behind NAT (Default).
      1 - Connection where VPN server is behind NAT.
      2 - Connection where VPN server and client are behind NAT.
  •  Reboot computer for changes to take effect.


April 2018
Windows Server Standard 2016




Subscribe to receive occasional updates on new posts.
Your email will not be used for any other purpose and you can unsubscribe at any time.
Please wait