How to set-up an L2TP Tunnel


Paul Hadfield


I'm having trouble setting up a simple L2TP tunnel between a Windows 2000
server (SP4) and a Windows XP Pro client (SP1). The setup is as follows:

The server has 2 NIC's installed connecting it to 2 LANs with the following
IP's: mask mask
No routing occurs (nor is required) between the two separate LANs.

The Windows XP machine has one NIC connected to the second LAN with IP The connection between the server and the XP machine is
through a single 10/100Mb hub and so there are no firewalls/routers in the
middle to conceder. The 2000 server has no other services/software installed
and no filters of any kind have been set-up.

All I am trying to do is configure RRAS on the 2000 server to allow the XP
machine to establish a VPN tunnel to allow it to access the
network. I have managed to do this using a PPTP VPN and everything works
exactly how I want it, however I am unable to get the tunnel to work using
L2TP. I'm not trying to set-up IPSec at this stage, I'll worry about that
later - all I want to do is establish an L2TP tunnel between the XP client
and the 2000 server - even though this would mean that the L2TP tunnel would
not be secure/encrypted.

My question is - what on earth do I need to set-up/configure differently at
the client/server end to allow me to establish an L2TP tunnel. I assumed
that all I would have to do was change the Networking - Type of VPN drop
down menu on the XP client from PPTP VPN to L2TP IPSec VPN, but when I do
this I get Error 741: The local computer does not support the required data
encryption type.

Do I HAVE to set-up IPSec before I can establish an L2TP tunnel? Surely this
has no bearing at all while establishing/negotiating the L2TP tunnel in the
first place?

Many thanks in advance for any help offered.




Paul Hadfield


Thanks for your response.

After disabling IPSec with the registry entry and following the instructions
for setting up a pre-shared key I am no further forward. When I try to
establish the L2TP VPN I get the same error message, while a PPTP VPN works
perfectly. (I don't want to set up a CA as potential future client's
probably won't be MS PC's).

To double check that my pre-shared key policy is correct I omitted the port
1701 in the filter list on both the client and server and then ran
ipsecmon.exe on the 2000 server. This showed traffic between the two
machines was secure.

I don't understand why I need to configure an IPSec policy to allow me to
establish an LT2P tunnel between the XP client and the 2000 server? (To be
honest, at this point I would rather not implement IPSec at all - I just
want to configure and set-up the L2TP tunnel). Does the L2TP tunnel not use
which ever authentication methods I have ticked in the RRAS service and in
the VPN connection properties? They are currently set to allow MS-CHAP and

Many thanks again for your help,


Priya Raghavan [MSFT]

Did you disable IPSec on both the client and the server ? You need to
disable it on both sides, reboot the machines and then send the Pre-Shared
Key while making the L2TP connection. Also, if you again face this error,
please send the logs for further debugging.

As I mentioned earlier, IPSec is not neccesary to make an L2TP connection.
But the requirement is that both the client and the server should agree to
Prohibit IPSec.

To enable logging use this command:

netsh ras set tracing * enable

Logs will be stored in %windir%\tracing



Paul Hadfield

Thanks for you help Priya.

I now have the L2TP VPN working - my problem was that the IP filter between
the client and server were not identical.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads