L2TP Client: Windows: Difference between revisions

Back up to the Incoming L2TP Category
From AAISP Support Site
mNo edit summary
 
(21 intermediate revisions by 2 users not shown)
Line 1: Line 1:
__NOTOC__<indicator name="L2TP">[[File:Menu-L2TP.svg|link=:Category:Incoming_L2TP|30px|Back up to the Incoming L2TP Category]]</indicator>
__NOTOC__<indicator name="L2TP">[[File:Menu-L2TP.svg|link=:Category:Incoming L2TP|30px|Back up to the Incoming L2TP Category]]</indicator>
[[Category:Incoming_L2TP]]
[[Category:Incoming L2TP]]
== Windows 7 ==
== Windows 10 ==


Windows 10 has a built in L2TP client, there are a couple of extra bits that may be needed to get this to work once you've set up the initial connections - there are two extra steps below regarding ipsec and CHAP.
Connecting with Windows 7 was almost as easy except that the default connection settings don't work. You have to edit the connection properties and on the Security tab change 'Type of VPN:' to 'Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)' otherwise it only tries PPTP, and change 'Data encryption:' to 'Optional encryption (connect even if no encryption)' as it doesn't like A+A's certificate (because RevK declines to use a root certification authority recognised by Microsoft, or is it that Microsoft declines to recognise the root certification authority chosen by RevK). I guess the alternative would probably be to add the root certificate to the machine in question. Anyway, with those two changes it works fine.


==Initial connection setup==
Watch out if you are using [[IPv6]]. It seems that Win7 negotiates a non-routable [[IPv6]] address with the LNS. You have to discard this address and manually configure one of your routed [[IPv6]] addresses. ipconfig /release6 is your friend here.
[[File:L2TP-windows2.PNG|thumb]]


#Start
== Windows 10 ==
#Control Panel (cog icon)
#Network & Internet
#VPN (link on left panel)
#Add a VPN connection, with these details:
#*VPN Provider = built in
#*Connection Name: AAISP L2TP
#*Server name: l2tp.aa.net.uk
#*Type: L2TP (With certificate (we'll disable ipsec later))
#* username: your xxx@a.x username
#* your password
#Click save
[[File:L2TP-windows1.PNG|thumb]]
You should then be able to connect and disconnect via the Network icon in your Start bar.


However, the following two steps may be needed too:
Windows 10 seems very keen on using IPsec with L2TP. To turn this off, in an Administrator Command Prompt do:
<syntaxhighlight lang=bash>
SC STOP RASMAN ; you may have to wait a bit for this to stop
SC QUERY RASMAN ; ensure it is STOPPED
REG ADD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters /v ProhibitIpSec /t REG_DWORD /d 1 /f
SC START RASMAN
</syntaxhighlight>


==Enable CHAP==
Also, once the connection has been created, ensure CHAP authentication is enabled:


Once the connection has been created, ensure CHAP authentication is enabled:
[[File:L2TP-windows3.PNG|thumb]]
# Open Network and Sharing Centre
# Open Network and Sharing Centre
# Click Change adapter settings
# Click Change adapter settings
Line 27: Line 37:
# Select the 'Allow these protocols' radio button
# Select the 'Allow these protocols' radio button
# Ensure 'Challenge Handshake Authentication Protocol (CHAP)' is checked.
# Ensure 'Challenge Handshake Authentication Protocol (CHAP)' is checked.

==Disable IPsec==
The A&A L2TP service does not support IPsec, so this needs to be turned off.

Windows 10 seems very keen on using IPsec with L2TP. To turn this off, in an Administrator Command Prompt do: (Click start, type cmd, press Ctrl-Shift-Enter)
<syntaxhighlight lang=shell>
SC STOP RASMAN ; you may have to wait a bit for this to stop
SC QUERY RASMAN ; ensure it is STOPPED
REG ADD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters /v ProhibitIpSec /t REG_DWORD /d 1 /f
SC START RASMAN
</syntaxhighlight>


==Split tunnel routing==
This is more of an advanced topic, and if you're looking in to this then you probably know what you're doing already!

It's possible to only send certain traffic over the L2TP and send the rest of your traffic over your normal internet connection.

You can do this by disabling the option to use the default gateway of the L2TP - this is a setting found in the TCPIP settings of the L2TP connection Adaptor settings:
#Start
#Control Panel (cog icon)
#Network & Internet
#VPN (link on left panel)
#Change adaptor settings
#Right-click on AA L2TP, click properties
#Networking tab
#Double click TCP/IP
#Advanced
#Untick 'Use default gateway on remote network

You can then use various commands to route specific traffic over the L2TP, eg, for example if you only want to send "81.187.30.81/32 over the L2TP, then you can use this PowerShell command:

Add-VpnConnectionRoute -ConnectionName "AA L2TP" -DestinationPrefix "81.187.30.81/32" -PassThru

You can then go to http://ip4.help.me.uk (which is hosted on that IP) and it will show your L2TP IP address.

== Windows 7 ==

'''(Upgrade to Windows 10, or later!)'''

This probably applies to Windows 8 too.

Connecting with Windows 7 is almost the same as the steps for Windows 10 above, except that the default connection settings don't work. You have to edit the connection properties and on the Security tab change:
#'Type of VPN:' to 'Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)' otherwise it only tries PPTP
#'Data encryption:' to 'Optional encryption (connect even if no encryption)'



Watch out if you are using [[IPv6]]. It seems that Win7 negotiates a non-routable [[IPv6]] address with the LNS. You have to discard this address and manually configure one of your routed [[IPv6]] addresses. ipconfig /release6 is your friend here.

Latest revision as of 07:57, 6 July 2023

Windows 10

Windows 10 has a built in L2TP client, there are a couple of extra bits that may be needed to get this to work once you've set up the initial connections - there are two extra steps below regarding ipsec and CHAP.

Initial connection setup

L2TP-windows2.PNG
  1. Start
  2. Control Panel (cog icon)
  3. Network & Internet
  4. VPN (link on left panel)
  5. Add a VPN connection, with these details:
    • VPN Provider = built in
    • Connection Name: AAISP L2TP
    • Server name: l2tp.aa.net.uk
    • Type: L2TP (With certificate (we'll disable ipsec later))
    • username: your xxx@a.x username
    • your password
  6. Click save
L2TP-windows1.PNG

You should then be able to connect and disconnect via the Network icon in your Start bar.

However, the following two steps may be needed too:

Enable CHAP

Once the connection has been created, ensure CHAP authentication is enabled:

L2TP-windows3.PNG
  1. Open Network and Sharing Centre
  2. Click Change adapter settings
  3. Find the L2TP connection, it will have whatever name you gave it
  4. Right click the connection and choose Properties
  5. Go to the Security Tab
  6. Find the 'Authentication' section
  7. Select the 'Allow these protocols' radio button
  8. Ensure 'Challenge Handshake Authentication Protocol (CHAP)' is checked.

Disable IPsec

The A&A L2TP service does not support IPsec, so this needs to be turned off.

Windows 10 seems very keen on using IPsec with L2TP. To turn this off, in an Administrator Command Prompt do: (Click start, type cmd, press Ctrl-Shift-Enter)

SC STOP RASMAN    ; you may have to wait a bit for this to stop
SC QUERY RASMAN   ; ensure it is STOPPED
REG ADD HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters /v ProhibitIpSec /t REG_DWORD /d 1 /f
SC START RASMAN


Split tunnel routing

This is more of an advanced topic, and if you're looking in to this then you probably know what you're doing already!

It's possible to only send certain traffic over the L2TP and send the rest of your traffic over your normal internet connection.

You can do this by disabling the option to use the default gateway of the L2TP - this is a setting found in the TCPIP settings of the L2TP connection Adaptor settings:

  1. Start
  2. Control Panel (cog icon)
  3. Network & Internet
  4. VPN (link on left panel)
  5. Change adaptor settings
  6. Right-click on AA L2TP, click properties
  7. Networking tab
  8. Double click TCP/IP
  9. Advanced
  10. Untick 'Use default gateway on remote network

You can then use various commands to route specific traffic over the L2TP, eg, for example if you only want to send "81.187.30.81/32 over the L2TP, then you can use this PowerShell command:

Add-VpnConnectionRoute -ConnectionName "AA L2TP" -DestinationPrefix "81.187.30.81/32" -PassThru

You can then go to http://ip4.help.me.uk (which is hosted on that IP) and it will show your L2TP IP address.

Windows 7

(Upgrade to Windows 10, or later!)

This probably applies to Windows 8 too.

Connecting with Windows 7 is almost the same as the steps for Windows 10 above, except that the default connection settings don't work. You have to edit the connection properties and on the Security tab change:

  1. 'Type of VPN:' to 'Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)' otherwise it only tries PPTP
  2. 'Data encryption:' to 'Optional encryption (connect even if no encryption)'


Watch out if you are using IPv6. It seems that Win7 negotiates a non-routable IPv6 address with the LNS. You have to discard this address and manually configure one of your routed IPv6 addresses. ipconfig /release6 is your friend here.