This lab provide complete information to deploy and configure L2TP/IPsec VPN on Windows server 2016. Table of Contents What is VPN? Existing Active directory environment. Existing DHCP Server Configuration: VPN Server Setup and Configurations. VPN Configuration Steps: Step 1: Join VPN Server to ITPROLABS.XYZ domain. Step 2: Add Remote Access role. Step 3: Enable and configure routing and remote access (Enable VPN Service). Step 4: Allow VPN clients to obtain TCP/IP configuration from DHCP and use internal DNS. Step 5: Configure a preshared key for IPSec connection. Allowing internet users to connect through VPN.. Step 1: Active Directory Configuration. Step 2: Configure the Remote Access policies (NPS). Testing. Create VPN connection from windows 10 Client. Allow internet connectivity with VPN.. Connect to VPN.. Check connected VPN client Status.

1. http://www.mycertprofile.com/Profile/3992184764
L2TP/IPsec VPN On Windows Server 2016
Complete Lab (V2.0)
Ahmed Abdelwahed
Microsoft Certified Trainer
Ahmed_abdulwahed@outlook.com

2. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
2 | P a g e
Table of Contents
What is VPN?...................................................................................................................................................................3
Existing Active directory environment............................................................................................................................3
Existing DHCP Server Configuration:...............................................................................................................................4
VPN Server Setup and Configurations ............................................................................................................................5
VPN Configuration Steps:............................................................................................................................................6
Step 1: Join VPN Server to ITPROLABS.XYZ domain.................................................................................................6
Step 2: Add Remote Access role..............................................................................................................................6
Step 3: Enable and configure routing and remote access (Enable VPN Service) ...................................................10
Step 4: Allow VPN clients to obtain TCP/IP configuration from DHCP and use internal DNS.................................13
Step 5: Configure a preshared key for IPSec connection.......................................................................................14
Allowing internet users to connect through VPN .........................................................................................................15
Step 1: Active Directory Configuration .....................................................................................................................15
Step 2: Configure the Remote Access policies (NPS)................................................................................................17
Testing...........................................................................................................................................................................23
Create VPN connection from windows 10 Client......................................................................................................23
Allow internet connectivity with VPN.......................................................................................................................26
Connect to VPN.........................................................................................................................................................27
Check connected VPN client Status ..........................................................................................................................28

3. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
3 | P a g e
What is VPN?
A Virtual Private Network (VPN) is a secure network tunnel that allows you to connect to your private
network from internet locations. So, you can access and use your internal resources based on your
permissions.
Existing Active directory environment
1. OS: Windows server 2016
2. Domain Name: ITPROLABS.XYZ
3. Domain IP: 192.168.153.10/24
4. IP Scheme: 192.168.153.0/24
Full Windows Server 2016 Active directory lab:
https://gallery.technet.microsoft.com/Install-Windows-Server-f37e3c6d?redir=0

4. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
4 | P a g e
Existing DHCP Server Configuration:
VPN clients will contact the DHCP server to obtain our internal TCP/IP configuration so they can
access internal resources, the DHCP server configuration explained as below:
1. Server IP: 192.168.153.10/24
2. Scope range: 192.168.153.50 – 192.168.153.254
3. DG: 192.168.153.2
4. DNS: 192.168.153.10
Full Windows Server 2016 DHCP lab:
https://gallery.technet.microsoft.com/Installing-and-Configuring-bf727a5f?redir=0

5. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
5 | P a g e
VPN Server Setup and Configurations
Server Name: VPN
LAN IP: 192.168.153.11/24
WAN IP: public IP address
Network configuration:
We have 2 network interfaces one for LAN connectivity (in our domain scope) and another for WAN that will
receive VPN client connection requests from internet.

6. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
6 | P a g e
VPN Configuration Steps:
Step 1: Join VPN Server to ITPROLABS.XYZ domain
First, Join our VPN server to ITPROLABS.XYZ domain, so we can use active directory to authenticate the
incoming VPN client connections.
Step 2: Add Remote Access role
On VPN server, from Server Manager add remote access role as explained in the figures below

7. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
7 | P a g e

8. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
8 | P a g e

9. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
9 | P a g e

10. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
10 | P a g e
Step 3: Enable and configure routing and remote access (Enable VPN Service)
1. On VPN, from Server Manager, open Routing and Remote Access.
2. Right-click VPN (local), and then click Configure and Enable Routing and Remote Access
and follow the instructions as explained in the figures below

11. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
11 | P a g e

12. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
12 | P a g e

13. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
13 | P a g e
Step 4: Allow VPN clients to obtain TCP/IP configuration from DHCP and use internal DNS
Here we will allow incoming VPN clients to obtain TCP/IP configuration from DHCP, also It’s better to allow VPN users
to use the internal DNS server, so they can locate and access internal resources easily

14. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
14 | P a g e
Step 5: Configure a preshared key for IPSec connection
On VPN server configure preshared key that will be used in IPSec connections
Disable PPTP connections
By default, VPN Server can receive 128 concurrent PPTP, SSTP and L2TP connections, you can increase this number of
concurrent connections or decrease it or disable it by decrease the mentioned number - 128 - to zero, as explained
in the figures below

15. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
15 | P a g e
Allowing internet users to connect through VPN
Step 1: Active Directory Configuration
Create active directory group to only allow members of this group to connect through VPN, to do this
from active directory users and computers we will create active directory group (VPN_Users) and add
member user to it (aabdelwahed) so we can use him as user testing. The following instructions are
configured on ITPROLABS.XYZ domain (DC01)

16. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
16 | P a g e
Now you can add members to this group that you want to allow them to connect through VPN

17. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
17 | P a g e
Step 2: Configure the Remote Access policies (NPS)
Users you want to allow them to connect through VPN must have grant access permission from Network policy
Server or give users dial in grant access (One by one) permission from active directory users and computers wizard,
in our scenario we will configure this permission through Network Policy Server (NPS) to allow members of
VPN_Users group (Bulk Users) that we just created in active directory to access the network through VPN. the
following steps configured on VPN Server.
On VPN, from Server Manager, open the Network Policy Server console

18. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
18 | P a g e

19. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
19 | P a g e
add users and groups that you want to allow them to connect through VPN

20. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
20 | P a g e
from this wizard, we can apply some polices and restrictions on VPN clients like session time limit.

21. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
21 | P a g e
Configuration summary

22. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
22 | P a g e
Make sure that your created policy order is 1

23. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
23 | P a g e
Testing
Create VPN connection from windows 10 Client.
First, create VPN connection to VPN Server public IP address (as explained in the figures below)

24. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
24 | P a g e
Now, configure our connection to use L2TP (as explained in the below figures)

25. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
25 | P a g e

26. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
26 | P a g e
Allow internet connectivity with VPN
By default, the connected to VPN clients can’t browse internet to solve this issues solved as explained in
the figures below.

27. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
27 | P a g e
Connect to VPN
Now you can use your VPN connection using aabdelwahed user who have grant access permission to
connect through VPN according to his membership on VPN_Users group.

28. L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab
28 | P a g e
Now, run ipconfig /all to check your VPN connection configuration, so now you can access the network
resources based on your permissions.
Check connected VPN client Status
Now back to VPN server to check status of connected users also you can force disconnect any
connected users as explained in the figures below.