It is such a pleasure to listen to you. I can do it for hours. Internet finally paid back by ability to listen to your lectures. Thank you great professor!
Just tried this again on a 2019 server and it worked like a charm! I really appreciated the little details like the arp and netstat commands. Very useful. Thanks again!!
On your previous L2TP video for Windows 2012, the registry entry on the server was AssumeUDPEncapsulationContextOnSendRule. In this video you have AssumeUDPEncapsulationOnSendRule for the server. Later on when creating the registry entry on the client, you use AssumeUDPEncapsulationContextOnSendRule. I’m pretty sure they should all be AssumeUDPEncapsulationContextOnSendRule.
Thanks! This worked. I've got DDNS set up on my Unifi UDM Pro, so I just used the hostname. (As I don't have a static public IP). Then port forwarded 1701, 4500 and 500 on the Port Forwarding section on Unifi. Your guide was great help! Only other thing I done was create another network policy and added a security group, so that only users in that group have VPN access.
Installed the 2012R2 installation recently. The L2TP VPN server worked perfectly!. Then, proceeded to install the Server 2016 and followed all the steps as shown. On the part where we checked for open ports via Netstat, only UDP Port 500 and 4500 was listed. Strange, UDP Port 1701 was missing. To get the server to work, I manually opened UDP Port 1701 via the Windows Firewall.
I do have a couple of radius videos on the channel, but they are wireless related. It should be the same procedure except you choose the other option instead of wifi when you launch NPS the first time. Thanks for watching!
@@techpub that's cool thanks. One last question - do you have anything pertaining to a web application proxy, and how to implement that with the L2TP VPN server setup that you demonstrated in this video?
Thank you for the video. Everything works fine when I'm connecting using the internal IP address of the server. However when I try to connect with the external IP address I get the error: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with remote computer.". Does this mean I've screwed up the port forwarding?
CHeck out this article and look at the very bottom solution: community.sophos.com/xg-firewall/f/discussions/96945/vpn-l2tp-issue-with-windows-10#:~:text=The%20error%20message%3A%20%22The%20L2TP,fails%20for%20L2TP%2FIPSec%20connections.
Good video, thank you for that. Unfortunately I couldn't get it going, and I believe the issue is with Xfinity penchant for breaking VPNs. I tried, remotely, PPTP and L2TP. Neither connects. I have Server 2016 sitting behind a Xfinity box. My workstation, on the LAN locally to Server 2016, can connect to it just fine. Remotely, from my laptop (Win 10), it does not connect - telling me, "A connection to the remote computer could not be established. You might need to change the network settings for this connection." For giggles, I momentarily placed Server 2016 in the DMZ, and my remote laptop still could not connect to it. It gives me the same error above. When get back home, i will test the laptop on the LAN to see if it fails. My only options at this point, it seems, is to put the Xfinity box into bridge mode and buy my own router or switch to something like AT&T fiber. Any other pointers professor?
Thank you Robert. Very nice tutorial. I followed it and successfully built a VPN server. Only having ping/remote issues to the Win10. Can ping only to the AD and firewall. All other devices are not pingable. Any suggestions? Maybe VPN server is blocking ICMP?
Hi, i got connected with in the network but not outside the network, it is giving me this error "the L2TP connection attempt failed because processing error during initial negotiation with the remote computer". please help.
Definitely a firewall issue on your border firewall. You may need to contact the vendor to ensure the ports are properly opened, or use Wireshark to confirm.
Hello How are you today? I watched your instructions and it worked in the local network but i could not get connected from the outside...i have a mikrotik router and i opened the ports for l2tp to my server ip...but it did not work. Could you tell me the possible solutions?
Hi Rob. Great video, I followed your steps and it worked fine. Now I want to change settings using server manager remotely. Can I access server manager as well?
@@techpub am trying to set up remote access on a vpn to connect to windows server at work from my home network, will this work for me but when i change to vpn install
Hi Rob. Thanks a lot for your videos! I was able to connect from inside the network but not from outside. My environment has Server 2019 Essentials and Windows 10 clients. I followed all of your steps in this video. What should I do to troubleshoot?
@@techpub I thought setting up port forwarding to the RAS ip address for port 500, 4500 and 1701 was what I needed to do. I have also opened all of those ports on the RAS windows firewall. I have also ran netstat -ab, netsh firewall show state and Neustadt-ano|findstr -i SYN_SENT to find not closed ports client side. Am I missing something?
@@techpub Update...I have double checked that port forwarding is enabled for udp ports 500, 1701 and 4500 on my router and in my anti-virus software. I have also made sure those ports are open in my RRAS.
Hello Sir, I saw this video and its pretty cool to understand. I have Setup the VPN server using PPTP and it works perfect even when outside the Internal Lan. I'll now try to setup this L2TP VPN. I have doubt! Currently I added DHCP Relay Agent Protocol in Routing & remote Access Console and the properties are set with DHCP server's IP. Is this necessary ? and also i configured the VPN service using first option called (Remote Access {dial-up or VPN} ) that allowed me to choose network adapter for Wan Traffic, but in your case you have chosen Custom Configuration that did not prompted to choose the Network adapter for Outside communication. Please Suggest if i need to revert my settings and apply same settings as yours. Thanks.
Hi there, how to convert ip address to the hostname of the VPN server ??? for example i want to install a VPN server but i don't want to give the VPN server ip address to the clients i want to give them a dynamic hostname instead of ip address. how can I do that? ??thnx
@@techpub hi ,it's possible. I a hostname Instead of IP on my Server, but i dont know the company convert hostname to IP address.for excample for sstp vpn we need a hostname Instead of IP.
Its great, thank you! I Always config pptp or sstp, pptp its NOT secure but is pratical and sstp os secure and more complicated, then now i will try l2tp (between pptp and sstp)
Thank you for the video. I was able to connect locally via my client computer, however, when I attempt to connect externally it doesn't seem to work. I am using a comcast gateway, forwarding ports 1701, 500, and 4500 to the destination server. Any tips?
I believe you're running into the Comcast firewall. They block those ports. Sometimes you can get them to remove them but usually only the business clients get that.
@@techpub sir, you were right on the money. I put the Comcast modem into bridge mode and configured the port forwarding on a netgear nighthawk router. Works like a charm. Thanks again for the video.
My network is set up like this. I have an isp router/modem which is connected to my cisco router and then to my cisco switch. my cisco router is the DHCP server for my local area network. On the cisco router, I have nat setup so my end devices are able to get internet. I followed your instruction am able to VPN locally but outside the network, I am not able to. I know you said to enable port forwarding on the isp modem but should I enable port forward for all the UDP ports, 1701, 500, 4500? or should I enable it on the cisco router? on my cisco router my access-list permits all so am not sure why it is not allowing it?
Don't need to do it on the ISP modem, however if you use home ISP then it's likely the ISP is blocking it. I can only get it to work with business class internet.
Hello Robert,Thanks for the video, quite helpful. I tried to use the VPN from the outside, but it didn't work. The ports are open on my router. I notice small differences between REGYSTRY KEYS: "AssumeUDPEncapsulationContextOnSendRule" >> with and without "Context". There is ok ?
@@techpub Finally I manage to make it work, but on another machine(VM). The first one is an AD and is hosting some web sites,email server,etc. When the Remote works the web sites aren't accessible from outside. Most likely are some conflicts. Thank you for your message and for all material that you are posting on youtube.
Hello Sir, Thank you for this great video. I have set up a couple of servers using this video. I have one server that works with no issues using a Bell internet service provider. I have another that has a strange problem. After setting the server up, I can see the ports open, and I edit the registry on both the server and computers connecting to this server. I can VPN in on a local system. The issue is that when logging in from outside the network, I can easily log in with a service provider called Bell. Still, when trying with a different service provider Rogers/Cogeco, I get the error “ The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiation with the remote server. Or I get an error “ The network connection between your computer and the VPN server could not establish because the remote server is not responding. This could be because one of the network devices(e.g., Firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections.” Rogers and Cogeco use either an Arris modem/router or Hitron modem/router. I have troubled shoot many options with suggestions on the internet with no resolution. I am hoping maybe you or someone here can give a helping hand.
I was able to resolve this issue by changing the first registry entry that was mentioned in the video from AssumeUDPEncapsulationOnSendRule =2 to AssumeUDPEncapsulationContextOnSendRule =2. i had to add Context to the string.
It depends on the version you have and if you have the firewall package installed. Here's how to do it on an ASA Cisco firewall which would be similar. ua-cam.com/video/ixoDGchuhG4/v-deo.html
@@techpub thanks for replaying. i opened the ports using a sophos firewall but only have communication on port 500 despite port forwarding on all 3 ports. when i check the server it shows all ports are there UDP 0.0.0.0:123 *:* UDP 0.0.0.0:389 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1701 *:* UDP 0.0.0.0:3389 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:4500 *:*
Thanks for the video, quite helpful. You mentioned a NAT rule for return traffic, but I could not follow how to set that up exactly. The Windows server I set up with L2TP sits behind a Mikrotik router. The server's LAN side address is 192.10.0.100. I can access the VPN from the LAN side. It appears the client can contact the server but is getting no response. Any thoughts? Thanks.
Within my network it's all good but when am outside trying to connect through my public IP am getting this error "the l2tp connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer "
@@techpub hey Rob. I ran an Nmap scan, the port that closed is port 113/tcp. This shouldn't give me a problem since this port should always be closed right... for its vulnerability to attacks. The thing is also that so weird is with Forticlient when am outside I can access my Router. The problem am having is connecting to my servers 🥲. This has been giving headaches for some months now
Thanks a lot Bob, By the way, Others, Create a text file saving .reg after adding following EXACTLY to that file and execute that file double clicking on it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent] "AssumeUDPEncapsulationContextOnSendRule"=hex(b):02,00,00,00,00,00,00,00
It is such a pleasure to listen to you. I can do it for hours. Internet finally paid back by ability to listen to your lectures. Thank you great professor!
Wow, thank you
Just tried this again on a 2019 server and it worked like a charm! I really appreciated the little details like the arp and netstat commands. Very useful. Thanks again!!
You're welcome!
On your previous L2TP video for Windows 2012, the registry entry on the server was AssumeUDPEncapsulationContextOnSendRule. In this video you have AssumeUDPEncapsulationOnSendRule for the server. Later on when creating the registry entry on the client, you use AssumeUDPEncapsulationContextOnSendRule. I’m pretty sure they should all be AssumeUDPEncapsulationContextOnSendRule.
The way I used them in each video worked so I wouldn't change anything.
Does it work without Context?
Thanks! This worked. I've got DDNS set up on my Unifi UDM Pro, so I just used the hostname. (As I don't have a static public IP). Then port forwarded 1701, 4500 and 500 on the Port Forwarding section on Unifi. Your guide was great help! Only other thing I done was create another network policy and added a security group, so that only users in that group have VPN access.
Very good!
Thanks Rob. I haven't received a notification in a while. I was delighted to get this one.
Thanks for watching.
the 2012 video was awesome! I used it for server 2016 and it worked as well. THANKS!!!
Great to hear!
Great to hear!
Installed the 2012R2 installation recently. The L2TP VPN server worked perfectly!. Then, proceeded to install the Server 2016 and followed all the steps as shown. On the part where we checked for open ports via Netstat, only UDP Port 500 and 4500 was listed. Strange, UDP Port 1701 was missing. To get the server to work, I manually opened UDP Port 1701 via the Windows Firewall.
Good troubleshooting. Thanks for watching!
Really glad I found your videos on this subject. Works perfectly on a Windows 10 pc. One question, will it work for a mac?
Yes it will also work on Android and iPhone.
Great write up Robert. Worked like a charm. Just wondering do you have any info in relation to setting up RADIUS servers?
I do have a couple of radius videos on the channel, but they are wireless related. It should be the same procedure except you choose the other option instead of wifi when you launch NPS the first time. Thanks for watching!
@@techpub that's cool thanks. One last question - do you have anything pertaining to a web application proxy, and how to implement that with the L2TP VPN server setup that you demonstrated in this video?
Thank you for the video.
Everything works fine when I'm connecting using the internal IP address of the server.
However when I try to connect with the external IP address I get the error:
"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with remote computer.".
Does this mean I've screwed up the port forwarding?
CHeck out this article and look at the very bottom solution: community.sophos.com/xg-firewall/f/discussions/96945/vpn-l2tp-issue-with-windows-10#:~:text=The%20error%20message%3A%20%22The%20L2TP,fails%20for%20L2TP%2FIPSec%20connections.
@@techpub Thanks a lot. Turns out it was the router blocking the connection. I got a new router and everything seems to work.
Good video, thank you for that. Unfortunately I couldn't get it going, and I believe the issue is with Xfinity penchant for breaking VPNs. I tried, remotely, PPTP and L2TP. Neither connects.
I have Server 2016 sitting behind a Xfinity box. My workstation, on the LAN locally to Server 2016, can connect to it just fine. Remotely, from my laptop (Win 10), it does not connect - telling me, "A connection to the remote computer could not be established. You might need to change the network settings for this connection."
For giggles, I momentarily placed Server 2016 in the DMZ, and my remote laptop still could not connect to it. It gives me the same error above.
When get back home, i will test the laptop on the LAN to see if it fails. My only options at this point, it seems, is to put the Xfinity box into bridge mode and buy my own router or switch to something like AT&T fiber.
Any other pointers professor?
Thanks for watching. Yes Comcast home will block this in some locations. You can call them and ask them to remove the filter. Sometimes that works.
Thank you Robert. Very nice tutorial. I followed it and successfully built a VPN server. Only having ping/remote issues to the Win10. Can ping only to the AD and firewall. All other devices are not pingable. Any suggestions? Maybe VPN server is blocking ICMP?
Only the DC has ping opened up. Try this video to fix it: ua-cam.com/video/2KigsB91w7s/v-deo.html
Hi, i got connected with in the network but not outside the network, it is giving me this error "the L2TP connection attempt failed because processing error during initial negotiation with the remote computer". please help.
Definitely a firewall issue on your border firewall. You may need to contact the vendor to ensure the ports are properly opened, or use Wireshark to confirm.
Worked great! Thanks! Do you have a video, or can you recommend a resource, for setting this up using a certificate rather than a preshared key?
I don't have it but I do plan on making one.
@@techpub Maybe you managed to make some instructions to l2tp/ipsec with certificates?
Very clear tutorial. Thanks for the time you put into it
Glad it was helpful!
Thanks so much! But please, would it be possible to make a video on setting up an IKEv2 VPN server for Windows Server 2019?
Yes I will add it to the list.
Hello How are you today?
I watched your instructions and it worked in the local network but i could not get connected from the outside...i have a mikrotik router and i opened the ports for l2tp to my server ip...but it did not work. Could you tell me the possible solutions?
I haven't used that type of firewall before. You may have to check out their support site.
Hi Rob. Great video, I followed your steps and it worked fine. Now I want to change settings using server manager remotely. Can I access server manager as well?
You can do that by using remote desktop into a server or using Windows Admin Center. I have videos for both of these in my channel if you do a search.
@@techpub am trying to set up remote access on a vpn to connect to windows server at work from my home network, will this work for me but when i change to vpn install
Hi Rob. Thanks a lot for your videos! I was able to connect from inside the network but not from outside. My environment has Server 2019 Essentials and Windows 10 clients. I followed all of your steps in this video. What should I do to troubleshoot?
If it works internally then it would be the firewall to your ISP that needs to be edited.
@@techpub I thought setting up port forwarding to the RAS ip address for port 500, 4500 and 1701 was what I needed to do. I have also opened all of those ports on the RAS windows firewall. I have also ran netstat -ab, netsh firewall show state and Neustadt-ano|findstr -i SYN_SENT to find not closed ports client side. Am I missing something?
@@techpub Update...I have double checked that port forwarding is enabled for udp ports 500, 1701 and 4500 on my router and in my anti-virus software. I have also made sure those ports are open in my RRAS.
@@techpub continued..I also used Wireshark on the RRAS and I can see traffic between host and client...what else do you suggest?
@@techpub The network connection between your computer and the server could not be established because the remote server is not responding.
Hello Sir, I saw this video and its pretty cool to understand. I have Setup the VPN server using PPTP and it works perfect even when outside the Internal Lan. I'll now try to setup this L2TP VPN. I have doubt! Currently I added DHCP Relay Agent Protocol in Routing & remote Access Console and the properties are set with DHCP server's IP. Is this necessary ? and also i configured the VPN service using first option called (Remote Access {dial-up or VPN} ) that allowed me to choose network adapter for Wan Traffic, but in your case you have chosen Custom Configuration that did not prompted to choose the Network adapter for Outside communication. Please Suggest if i need to revert my settings and apply same settings as yours. Thanks.
I did that because my computer was behind a firewall. If your computer has 2 networks where one is directly on the internet then you did it correctly.
@@techpub Thank you Sir, i'll try setting it up.
Hi there, how to convert ip address to the hostname of the VPN server ??? for example i want to install a VPN server but i don't want to give the VPN server ip address to the clients i want to give them a dynamic hostname instead of ip address. how can I do that? ??thnx
Thanks for watching. That won't be possible. They have to have an IP.
@@techpub hi ,it's possible. I a hostname Instead of IP on my Server, but i dont know the company convert hostname to IP address.for excample for sstp vpn we need a hostname Instead of IP.
Its great, thank you! I Always config pptp or sstp, pptp its NOT secure but is pratical and sstp os secure and more complicated, then now i will try l2tp (between pptp and sstp)
Glad it helped!
Thank you for the video. I was able to connect locally via my client computer, however, when I attempt to connect externally it doesn't seem to work. I am using a comcast gateway, forwarding ports 1701, 500, and 4500 to the destination server. Any tips?
I believe you're running into the Comcast firewall. They block those ports. Sometimes you can get them to remove them but usually only the business clients get that.
@@techpub sir, you were right on the money. I put the Comcast modem into bridge mode and configured the port forwarding on a netgear nighthawk router. Works like a charm. Thanks again for the video.
My network is set up like this. I have an isp router/modem which is connected to my cisco router and then to my cisco switch. my cisco router is the DHCP server for my local area network. On the cisco router, I have nat setup so my end devices are able to get internet. I followed your instruction am able to VPN locally but outside the network, I am not able to. I know you said to enable port forwarding on the isp modem but should I enable port forward for all the UDP ports, 1701, 500, 4500? or should I enable it on the cisco router? on my cisco router my access-list permits all so am not sure why it is not allowing it?
I have a similar set up. You still need to enable port forwarding on the Cisco router
Don't need to do it on the ISP modem, however if you use home ISP then it's likely the ISP is blocking it. I can only get it to work with business class internet.
@@techpub Thank you
Hello Robert,Thanks for the video, quite helpful. I tried to use the VPN from the outside, but it didn't work. The ports are open on my router. I notice small differences between REGYSTRY KEYS: "AssumeUDPEncapsulationContextOnSendRule" >> with and without "Context". There is ok ?
It's probably not the registry. I would check that the ports are actually open using nmap from the outside.
@@techpub Finally I manage to make it work, but on another machine(VM). The first one is an AD and is hosting some web sites,email server,etc. When the Remote works the web sites aren't accessible from outside. Most likely are some conflicts. Thank you for your message and for all material that you are posting on youtube.
Hello Sir, Thank you for this great video. I have set up a couple of servers using this video. I have one server that works with no issues using a Bell internet service provider. I have another that has a strange problem. After setting the server up, I can see the ports open, and I edit the registry on both the server and computers connecting to this server. I can VPN in on a local system. The issue is that when logging in from outside the network, I can easily log in with a service provider called Bell. Still, when trying with a different service provider Rogers/Cogeco, I get the error “ The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiation with the remote server. Or I get an error “ The network connection between your computer and the VPN server could not establish because the remote server is not responding. This could be because one of the network devices(e.g., Firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections.” Rogers and Cogeco use either an Arris modem/router or Hitron modem/router. I have troubled shoot many options with suggestions on the internet with no resolution. I am hoping maybe you or someone here can give a helping hand.
I was able to resolve this issue by changing the first registry entry that was mentioned in the video from AssumeUDPEncapsulationOnSendRule =2 to AssumeUDPEncapsulationContextOnSendRule =2. i had to add Context to the string.
Very good!
@Robert McMillen great tutorial. How can i go about setting port forward to my internal address on a cisco router ?
It depends on the version you have and if you have the firewall package installed. Here's how to do it on an ASA Cisco firewall which would be similar. ua-cam.com/video/ixoDGchuhG4/v-deo.html
@@techpub thanks for replaying. i opened the ports using a sophos firewall but only have communication on port 500 despite port forwarding on all 3 ports. when i check the server it shows all ports are there
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:389 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:3389 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
Thanks for the video, quite helpful.
You mentioned a NAT rule for return traffic, but I could not follow how to set that up exactly.
The Windows server I set up with L2TP sits behind a Mikrotik router. The server's LAN side address is 192.10.0.100. I can access the VPN from the LAN side.
It appears the client can contact the server but is getting no response. Any thoughts?
Thanks.
I suggest using Zenmap from the outside to make sure all the expected UDP ports are responding. I'm thinking that something is missing there.
great tutorial. though, i couldn't figure out how to find nat ip address without cosco asa (don't have that one)...
Find out the model and you should be able to find a tutorial on that in YT or from the vendor. Thanks for watching.
Thanks Rob,
My Internet uses NAT, how do I connect using L2TP with IPSEc?
This video shows using NAT as well so it should be the same or similar.
Brilliant video thank you.
Glad it was helpful!
i installed this on server 2019 when i run netstat 1701 does not show i tried running it 3 times always the same any ideas?
It should be TCP 1723 and not 1701.
Within my network it's all good but when am outside trying to connect through my public IP am getting this error "the l2tp connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer "
That is a firewall issue on the gateway. Run an NMap scan from the outside in and see which port is blocked.
@@techpub thanks for getting back at me. Let me run that will let you know.
@@techpub hey Rob. I ran an Nmap scan, the port that closed is port 113/tcp. This shouldn't give me a problem since this port should always be closed right... for its vulnerability to attacks. The thing is also that so weird is with Forticlient when am outside I can access my Router. The problem am having is connecting to my servers 🥲. This has been giving headaches for some months now
Does this work for VPN connections coming from a non-domain joined PC?
Yes but you'll need an internal DNS server statically set on the VPN connection for you to resolve names.
@@techpub Thank you, I had to implement this last week for work. Internal DNS was the answer so thank you for this.
Thanks a lot Robert!! =) you really help me
Happy to help!
does the registry key is necessary? is hard to make that for all smart working users!
Only if using Windows devices for VPN.
Great content 👍, thanks for sharing.
Thanks for watching!
can we do the same process on AD DS server ? and how do we create a member server ?
Yes you can put it on a domain controller if you want. A member server is just a Windows server you joined to the domain.
Thanks a lot Bob, By the way, Others, Create a text file saving .reg after adding following EXACTLY to that file and execute that file double clicking on it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=hex(b):02,00,00,00,00,00,00,00
Great tip. I will check it out.
do i have to open thos ports on home router ?
That's a tough one. Many home ISPs block these and you'll have to request they remove the block. Sometimes they won't.
invaluable! thank you so much!
You're very welcome!
Great video! I only wish you made it for Certificates not PSK
I'll add it to the list.
@@techpub thanks! Still waiting for video because im stuck :(
Thank you smart man, worked for me 👍
You are welcome! Thanks for watching.