4

The Windows 2008 R2 (SBS) machine was earlier setup to run a PPTP VPN server. Due to security concerns I do want to replace the PPTP by L2TP/IPsec VPN server.

The server is behind a NAT router where 3 forward rules to the Windows Server are created:

  1. protocol 50 (ESP)
  2. port UDP 500 (IKE)
  3. port UDP 4500 (NAT traversal)

I am at the point where I can see the packets arriving at the Windows Server and being blocked by the Windows Firewall Filtering. The Windows Event viewer shows entries with Event ID 5152 (The Windows Filtering Platform blocked a packet.) for target port 500 and protocol 17 (UDP).

What additional steps need to be taken to get the L2TP-VPN-Server up and running on Windows Server 2008 R2 for Mac OS X clients?

Pro Backup
  • 914
  • 4
  • 15
  • 33

1 Answers1

8

1. Check L2TP ports existence

First check whether there are actually L2TP port configured in Routing and Remote Access (RRAS).

  • Click Start, click Administrative Tools, and then click Routing and Remote Access.
  • Expand your server, and then expand ports.
  • In case there are no entries for WAN Miniport (L2TP)..., add them by right clicking ports.

2. Check RAS pre-shared key

Make sure that a RAS pre-shared key is configured. Checking the RAS pre-shared key security is also done in Routing and Remote Access MMC.

  • Open the properties of your server via the server its context menu (right clicking on your server name).
  • Then open tab security.
  • Check the box "Allow custom IPsec policy for L2TP connection".
  • And fill in a Pre-shared Key.

3. Add Windows Firewall rules

Strangely Windows 2008 R2 contains default Windows Firewall rules in the Routing and RAS (RRAS) group for L2TP (UDP 1701 twice) and GRE (for PPTP) thought Microsoft has forgotten (?) to create default firewall rules for ESP, IKE and NAT-T. As these Windows Firewall rules are missing, you have to create those yourselves.

  • Click Start, click Administrative Tools, and then click Windows Firewall with advanced security.
  • In the left pane right click Rules for incoming connections, and then choose New rule from the menu
  • For UDP 500 and 4500 the Port based Rule type can be chosen, for ESP (protocol 50) choose Custom to create that rule.
Pro Backup
  • 914
  • 4
  • 15
  • 33
  • Thank you! this is the part i kept missing: "Microsoft has forgotten (?) to create default firewall rules for ESP, IKE and NAT-T. As these Windows Firewall rules are missing, you have to create those yourselves.... For UDP 500 and 4500 the Port based Rule type can be chosen, for ESP (protocol 50) choose Custom to create that rule." – Tim Penner Oct 06 '16 at 17:59