I will guide you in this article through the process of setup of the L2TP/IPSec client in Windows 7 and later OS. This tutorial also covers the Windows server platform. The client side setup does not depend on the type of VPN server.
Thanks to the Mikrotik RouterOS and similar platforms, setup for this kind of tunnel is very simple today. Moreover, this tutorial is the client-side part of our IPSec series. We will explain the server side after this mini-series related to client-side configuration.
Today, L2TP/IPSec client is supported out-of-the-box in Windows 7 and later OS’s, including all server platforms. Although we rarely need VPN on the server platform, we can do it with easy in the same way.
You can find the following tutorials related to the L2TP/IPSec VPN clients on my blog:
1) We need to open Network and Sharing Center and to search for the option Set up a new connection or network. The number of options in this step can vary between Windows versions, but there is always this option, as the first in the list.
2) The new window will be opened. We will see a few options in this window. We should choose the option Connect to a workplace.
3) We will create a new connection. We usually do not need to establish a previous connection. We need to establish a different connection before the VPN connection only if we are using dial-up or similar on demand connection.
4) In the next step, we should choose the option to connect to distant network using the VPN connection – Use my Internet connection (VPN)
5) The new window will open. We need to fill the destination and descriptive name of our connection. You should name this connection in a user friendly way, like Contoso VPN.
The destination can be either an IP address or DNS name (as demonstrated in the screenshot). In case you want to use the DNS (a.k.a. FQDN) name, you must register it in your DNS zone. This option allows you to register multiple IP addresses under the same DNS name and to use so-called round-robin access.
This means that we can have two or more independent Internet links and to allow users to establish the VPN over a random link. In the event that one of the links is unavailable due any problem with the ISP, your VPN concentrator is still up and running.
If you want to make this connection available to all users of this computer, you should enable the option Allow other people to use this connection. On domain joined computers, this option will establish the VPN with your company before you log in to the system. This is very handy if you want to increase the security.
You should also enable the option Don’t connect now; just set it up so I can connect later.
6) On the next window, we can enter the username and password. However, for security reasons it’s strongly advised that your password for the VPN connection is not saved. Yes, you will need to type it every time. But hey, this is a small price for greater security.
7) Now the Wizard can finish the steps to complete the connection. Please, be patient until the Wizard finishes its work. This will take maybe a minute to complete.
8) After a short while, we will see the ending screen that will inform us that the new connection is ready to be used. However, we must click on the button [ Close ] to finish the Wizard.
9) The next step is to open the option Change Adapter Settings and to locate our new connection in the list. The same can be achieved by using icon for network connections in the notification area.
Right click on our connection and from the menu context we should choose the option Properties.
10) We should select the third tab named Security. Here we can refine here the VPN setting. By default, it is on Automatic. We will select Layer 2Tunneling Protocol with IPSec (L2TP/IPSec). All other parameters should be setup either according this screenshot or in compliance with instructions from your system administrator.
11) Before we close this window, we should make one more significant tweak. There is a button [ Advanced settings ] under the type of VPN connection.
12) Click on it. The new dialog window will open. We have two options here. Both are related to the IPSec part of the tunnel. We can use either the pre-shared key or certificate. In our case, and in most situations, we will choose the pre-shared key. In which case, the system administrator must provide us with the key.
13) We should click on the button [ OK ] to close this dialog. Then [ OK ] again to close the whole dialog window for the VPN connection properties. We now have our VPN connection with the appropriate settings. Now we can try to connect.
14) We will open the connection, entering the username and password. The VPN connection will initiate the connection process.
15) After a short while (depending on the quality of your link) we should be connected to the remote network.
16) We will now open the Network and Sharing Center and see that there are 2 active connections. We can click on the VPN connection. We will see the parameters in the new window. We should click the tab Details.
Here we can see all parameters of the VPN connection. Some interesting parameters are authentication and encryption algorithms, internal IP address of the client and so on.
Now when you see how easy it is to setup this connection, you should consider replacing those old PPTP VPNs with a modern and stronger L2TP/IPSec VPN tunnel. The most vulnerable part here can be the IPSec pre-shared key, as all users on your system must share the same key.
The key should be very complex. However, if you need to share it with other people and give it to them in clear text, then sooner or later the secret key will be leaked. If you’re administering the VPN system, you should configure all of this for your users or customer.
You can consider the idea of additional protection through the certificates, but this is another story to tell. Stay tuned.