Jump to content
RESET Forums (homeservershow.com)
Drashna Jaelre

Set up L2TP PSK(PreSharedKey) VPN

Recommended Posts

Drashna Jaelre

Since I took the time to post this in a different thread... let me post it here as well. Since there are plenty I'm sure that would like to know.


 


By default, the "Anywhere Access" wizard can set up SSTP. Which is great for Windows, since it supports it natively. However, for your mobile devices, you need PPTP or L2TP.


 


PPTP is the easiest to set up, but it's also the easiest to crack.


To do that, just forward port 1723 on the router to the server, and make sure that it allows for VPN passthrough.


 


As for L2TP, it depends on which version you want to use. I'll cover JUST the PreShared Key (PSK) method, as it's much more simple.


Either way, it 'll require install the "RRAS" console. To do so, load up the server manager and add it.


 


Under Roles, make sure that "DirectAccess and VPN (RAS)" and "Routing" are installed (they should be already).


Under featuers, it's "Remote Server Administration Tools -> Role Administration Tools -> Remote Access Management Tools -> Remote Access GUI and Command-Line".


 


Once you've done this, in "Tools" or "Administrative Tools", there will be a "Routing and Remote Access" console. Open that up.


Find the server name, and right click on it.


Select "Properties" and click on the "Security" tab.


Check the "Allow custom IPsec polici for L2TP/IKEv2 connection". Input a ... well passphrase here. This is your preshared key. This is much like your wireless AP's WPA key, in that it allows access to the VPN. However, you also require the username and password to log in.


 


Forward ports 1701, 500, and 4500. These are all UDP ports.


Also, you need to make sure the router allows L2TP (or manually enable "IP Protocol 50", in firewalls/UTMs that require it (like Sophos UTM).


 


You may need to enable the options in Windows firewall, as well. 


 


 


Once you've done this, you should be able to access the VPN over L2TP (which is much more secure than PPTP), and is supported by Android (and possible iOS, but I don't own any apple products, so I have no idea).


 

Share this post


Link to post
Share on other sites
nrf

thanks for memorializing this useful post. 

on android, I went into the settings for vpn, selected "add VPN network"

gave it a name

selected the type of "L2TP/IPSec PSK"

for the server address I put in my domain name, in my case xxxxx.remotewebaccess.com

then put in the same 'pre-shared-key'

then save it.

 

to start it up, I then click on the entry, type in my name and password, and hit 'connect'.

it didn't require me to include the domain name in the 'username' field.

Share this post


Link to post
Share on other sites
ikon

Congrats nrf. Must be nice to have it working.

Share this post


Link to post
Share on other sites
Jason

Interesting. I just use OpenVPN on Sophos UTM box and the iOS OpenVPN client for VPN. Sophos has made VPN so turnkey. Even makes Pfsense VPN setup look like a root canal.

Share this post


Link to post
Share on other sites
Drashna Jaelre

Interesting. I just use OpenVPN on Sophos UTM box and the iOS OpenVPN client for VPN. Sophos has made VPN so turnkey. Even makes Pfsense VPN setup look like a root canal.

Actually, Sophos UTM supports L2TP as well, and other VPN services.

 

However, I stay way from OpenVPN. It is just a PITA to configure and not worth the effort to me.

 

 

And yeah, Sophos makes everything pretty much Turn Key, where as pfSense is DEFINITELY an Open Source project...............

Share this post


Link to post
Share on other sites
Jason

I thought OpenVPN was more secure than L2TP which is why I configured it. Is that not the case?

Share this post


Link to post
Share on other sites
ikon

pfSense is DEFINITELY an Open Source project...............

 

Yeah. Sometimes I think Open Source = We couldn't figure out how to make it easy to use.... ;)

Share this post


Link to post
Share on other sites
Drashna Jaelre

I thought OpenVPN was more secure than L2TP which is why I configured it. Is that not the case?

IIRC, it depends on who you ask. Ask a linux user, and the answer will always be yes....

 

Yeah. Sometimes I think Open Source = We couldn't figure out how to make it easy to use.... ;)

Oh, no, I'm pretty sure it's "How can we make this as confusing as possible for Windows Admins? And how confusing and fragmented can we make it while still catering to EVERY need regardless of how complex it makes it?".

 

Now, don't get me wrong, there are some fantastic open source projects out there... but they're by far the exception and not the rule.

Share this post


Link to post
Share on other sites
mazo22

 

Since I took the time to post this in a different thread... let me post it here as well. Since there are plenty I'm sure that would like to know.

 

By default, the "Anywhere Access" wizard can set up SSTP. Which is great for Windows, since it supports it natively. However, for your mobile devices, you need PPTP or L2TP.

 

PPTP is the easiest to set up, but it's also the easiest to crack.

To do that, just forward port 1723 on the router to the server, and make sure that it allows for VPN passthrough.

 

As for L2TP, it depends on which version you want to use. I'll cover JUST the PreShared Key (PSK) method, as it's much more simple.

Either way, it 'll require install the "RRAS" console. To do so, load up the server manager and add it.

 

Under Roles, make sure that "DirectAccess and VPN (RAS)" and "Routing" are installed (they should be already).

Under featuers, it's "Remote Server Administration Tools -> Role Administration Tools -> Remote Access Management Tools -> Remote Access GUI and Command-Line".

 

Once you've done this, in "Tools" or "Administrative Tools", there will be a "Routing and Remote Access" console. Open that up.

Find the server name, and right click on it.

Select "Properties" and click on the "Security" tab.

Check the "Allow custom IPsec polici for L2TP/IKEv2 connection". Input a ... well passphrase here. This is your preshared key. This is much like your wireless AP's WPA key, in that it allows access to the VPN. However, you also require the username and password to log in.

 

Forward ports 1701, 500, and 4500. These are all UDP ports.

Also, you need to make sure the router allows L2TP (or manually enable "IP Protocol 50", in firewalls/UTMs that require it (like Sophos UTM).

 

You may need to enable the options in Windows firewall, as well. 

 

 

Once you've done this, you should be able to access the VPN over L2TP (which is much more secure than PPTP), and is supported by Android (and possible iOS, but I don't own any apple products, so I have no idea).

 

Hi any ideas how to do it in 2016 - as the very same procedure is stopped by  LEGACY mode is disabled on this server - in RRAS console?  Thanks for any help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×