Skip to main content

User Manual

Connecting to an L2TP/IPSec VPN server from Windows

Important

If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address and, when using the KeenDNS service, it works in the 'Direct access' mode. If any of these conditions are not met, connecting to such a server from the Internet will be impossible. The exception to this rule is described in the Note section below.

The L2TP/IPSec VPN server on Keenetic can be configured according to the L2TP/IPSec VPN server article.

Below is an example of creating an L2TP/IPSec VPN connection on a Windows 10 computer.

Right-click on the 'Start' button, select 'Network Connections' and on the screen that appears, 'VPN'.

Select 'Add a VPN connection'.

ipsec-windows-01-en.png

Select 'Windows (built-in)' as the VPN service provider in the connection settings. Enter a name for the connection, for example, 'Home segment'. Enter the domain name or IP address of your Keenetic in our example — 'myworknow.keenetic.link'. Select the VPN type — 'L2TP/IPSec with pre-shared key'. Enter the pre-shared key for IPSec that you created and recorded during the configuration of the Keenetic VPN server. Next, enter the username (that is allowed to connect to the VPN) and its password. Click the 'Save' button.

ipsec-windows-02-en.png

To establish a connection, click the 'Connect' button.

ipsec-windows-03-en.png

The connection is established.

ipsec-windows-04-en.png

Tip

If the connection with the server does not establish and crashes, try in the connection properties to allow connection only with protocol MS-CHAP v2:

ipsec-windows-05-en.png

Note

It is possible to connect to a VPN server with a private IP address from the Internet if the parent router has a public IP and port forwarding rule configured for the private address of your Keenetic. L2TP/IPSec requires UDP 500 and UDP 4500 forwarding. Another option is to forward all ports and protocols, which on some routers is called DMZ.

A typical example of such a router is a CDCEthernet modem. It can receive a public address from a mobile operator and assign a private address to the Keenetic router. Port forwarding configuration depends on the modem. Some modems forward all ports without additional configuration; others need to be set up in their web interface. And there are those where port forwarding is not provided at all.

If the forwarding is configured correctly, you can establish a VPN connection to the external public IP address of the router. It will forward it to the Keenetic's private address.

However, in the case of L2TP/IPSec, there is also an exception to this rule. This connection can be quickly established from a smartphone or tablet but will not be possible from a Windows client.

That is a known Windows limitation. In Keenetic's log file, in this case, the connection attempt ends with errors:

ipsec11[IKE] received retransmit of request with ID 0, retransmitting response
ipsec16[IKE] received retransmit of request with ID 0, retransmitting response
ipsec15[IKE] received retransmit of request with ID 0, retransmitting response
ipsec15[JOB] deleting half open IKE_SA with 193.0.174.212 after timeout

Yes, L2TP/IPSec from Windows can only be established if the Keenetic router has a public address. Port forwarding does not help. However, there are other, less finicky VPN types: PPTPSSTP or OpenVPN.

After the forwarding, you can connect from Windows to a server behind the NAT. For PPTP, you need to forward TCP port 1723 and GRE protocol, SSTPTCP 443, and OpenVPN UDP port 1194 by default. However, in the last case, both the protocol and port can be changed as you wish in the OpenVPN configuration.