Downloads and Guides: Install L2TP Native VPN for Windows XP
The OIT Central VPN service is now able to make use of native clients to connect to the VPN. There are several advantages in that they look and feel like a traditional dialup operation, where client configurations can be created, distributed and maintained by Active Directory SMS/SCCM. The disadvantages are that the clients follow whatever Microsoft does to change the Windows experience.
The general IPsec and SSL clients can use a load balancing mechanism that is integral to the VPN service. However, the L2TP/IPsec service cannot make use of that load balancing mechanism, so it will use the round robin properties of multiple address records to choose which appliance of the VPN cluster will service the client. It is not a great load balancer, but is an easy first order approximation.
A good, easy-reading document on L2TP is provided by Wikipedia.
In order to get L2TP services through a local policy control point (software firewall or NAT), you need to either have a suitable L2TP pass-thru, or you will need to forward specific ports through the firewall.
- To allow Internet Key Exchange (IKE), open UDP 500.
- To allow IPsec Network Address Translation (NAT-T) open UDP 4500.
- To allow L2TP traffic, open UDP 1701.
The process of installing L2TP consists of three parts:
- Create the adaptor and defining the terminating of the VPN tunnel
- Define attributes specific to the OIT Central VPN service, namely an L2TP tunnel over an IPsec transport
- Test the new adaptor and connect to the VPN
Create the Adaptor
In the first part of the installation process, you will create the adaptor and point the tunnel to the VPN concentrator name.
- Click the Start button and then select Control Panel > Network and Internet > Connect to a Network.
- Select Virtual Private Network connection and click Next.
- in the Company name field, enter "UMN L2TP-IPSec Native." Click Next.
- In the Internet Address field, enter the Host Name "nct.vpn.umn.edu" or the IP address. Click
- . ("nct" stands for native client termination).
- Click to select the box next to Add a shortcut to this connection to my desktop and⁄or click Finish. (This step is optional.)
Define L2TP⁄IPsec Attributes
In the second part of the process, you will define the attributes that are specific to the OIT Central VPN service. You will set the transport to L2TP over IPsec and set the preshared key.
- Select the Security tab.
- Click the IPSec Settings button.
- Enter the pre-shared key "S3cur1ty!" and click OK.
- Select the Networking tab.
- Click the Type of VPN pull-down menu and select L2TP IPSec VPN. Click OK.
Note: There is no need at this point to customize the IPv4 network properties. The DNS default domain and DNS name servers will be provided through the IPSec Tunnel by the VPN concentrator.
Test Your VPN Connection
You are now ready to test your connection.
- Navigate back to Connect to a network: Select Start > Control Panels > Network and Internet > Network Connections or Start > Connect to UofM L2TP-IPSec Native.
- Enter your UofM Internet ID and password
- Click Connect. Once you have successfully connected to the UofM VPN, the dialog box will disappear.
Tip: If you did not successfully connect to the VPN, verify that you have an active Internet connection. You can view connection details via the Network Connections control panel or from the Network icon located on the right hand side of the taskbar in the system tray. Right-click UMN L2TP-IPSec Native > Status.