L2TP/IPsec VPN On Windows Server 2016 Complete Lab (V2.0) Ahmed Abdelwahed Microsoft Certified Trainer Ahmed_abdulwahed@outlook.com http://www.mycertprofile.com/Profile/3992184764 L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Table of Contents What is VPN? Existing Active directory environment Existing DHCP Server Configuration: VPN Server Setup and Configurations VPN Configuration Steps: Step 1: Join VPN Server to ITPROLABS.XYZ domain Step 2: Add Remote Access role Step 3: Enable and configure routing and remote access (Enable VPN Service) 10 Step 4: Allow VPN clients to obtain TCP/IP configuration from DHCP and use internal DNS 13 Step 5: Configure a preshared key for IPSec connection 14 Allowing internet users to connect through VPN 15 Step 1: Active Directory Configuration 15 Step 2: Configure the Remote Access policies (NPS) 17 Testing 23 Create VPN connection from windows 10 Client 23 Allow internet connectivity with VPN 26 Connect to VPN 27 Check connected VPN client Status 28 2|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab What is VPN? A Virtual Private Network (VPN) is a secure network tunnel that allows you to connect to your private network from internet locations So, you can access and use your internal resources based on your permissions Existing Active directory environment OS: Windows server 2016 Domain Name: ITPROLABS.XYZ Domain IP: 192.168.153.10/24 IP Scheme: 192.168.153.0/24 Full Windows Server 2016 Active directory lab: https://gallery.technet.microsoft.com/Install-Windows-Server-f37e3c6d?redir=0 3|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Existing DHCP Server Configuration: VPN clients will contact the DHCP server to obtain our internal TCP/IP configuration so they can access internal resources, the DHCP server configuration explained as below: Server IP: 192.168.153.10/24 Scope range: 192.168.153.50 – 192.168.153.254 DG: 192.168.153.2 DNS: 192.168.153.10 Full Windows Server 2016 DHCP lab: https://gallery.technet.microsoft.com/Installing-and-Configuring-bf727a5f?redir=0 4|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab VPN Server Setup and Configurations Server Name: VPN LAN IP: 192.168.153.11/24 WAN IP: public IP address Network configuration: We have network interfaces one for LAN connectivity (in our domain scope) and another for WAN that will receive VPN client connection requests from internet 5|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab VPN Configuration Steps: Step 1: Join VPN Server to ITPROLABS.XYZ domain First, Join our VPN server to ITPROLABS.XYZ domain, so we can use active directory to authenticate the incoming VPN client connections Step 2: Add Remote Access role On VPN server, from Server Manager add remote access role as explained in the figures below 6|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab 7|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab 8|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab 9|Page L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Step 3: Enable and configure routing and remote access (Enable VPN Service) On VPN, from Server Manager, open Routing and Remote Access Right-click VPN (local), and then click Configure and Enable Routing and Remote Access and follow the instructions as explained in the figures below 10 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Step 5: Configure a preshared key for IPSec connection On VPN server configure preshared key that will be used in IPSec connections Disable PPTP connections By default, VPN Server can receive 128 concurrent PPTP, SSTP and L2TP connections, you can increase this number of concurrent connections or decrease it or disable it by decrease the mentioned number - 128 - to zero, as explained in the figures below 14 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Allowing internet users to connect through VPN Step 1: Active Directory Configuration Create active directory group to only allow members of this group to connect through VPN, to this from active directory users and computers we will create active directory group (VPN_Users) and add member user to it (aabdelwahed) so we can use him as user testing The following instructions are configured on ITPROLABS.XYZ domain (DC01) 15 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Now you can add members to this group that you want to allow them to connect through VPN 16 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Step 2: Configure the Remote Access policies (NPS) Users you want to allow them to connect through VPN must have grant access permission from Network policy Server or give users dial in grant access (One by one) permission from active directory users and computers wizard, in our scenario we will configure this permission through Network Policy Server (NPS) to allow members of VPN_Users group (Bulk Users) that we just created in active directory to access the network through VPN the following steps configured on VPN Server On VPN, from Server Manager, open the Network Policy Server console 17 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab 18 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab add users and groups that you want to allow them to connect through VPN 19 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab from this wizard, we can apply some polices and restrictions on VPN clients like session time limit 20 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Configuration summary 21 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Make sure that your created policy order is 22 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Testing Create VPN connection from windows 10 Client First, create VPN connection to VPN Server public IP address (as explained in the figures below) 23 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Now, configure our connection to use L2TP (as explained in the below figures) 24 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab 25 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Allow internet connectivity with VPN By default, the connected to VPN clients can’t browse internet to solve this issues solved as explained in the figures below 26 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Connect to VPN Now you can use your VPN connection using aabdelwahed user who have grant access permission to connect through VPN according to his membership on VPN_Users group 27 | P a g e L2TP/IPsec VPN On Windows Server 2016 Step By Step| Complete Lab Now, run ipconfig /all to check your VPN connection configuration, so now you can access the network resources based on your permissions Check connected VPN client Status Now back to VPN server to check status of connected users also you can force disconnect any connected users as explained in the figures below 28 | P a g e