最後更新: 2020-07-20


  • L2TP
  • Auto connect VPN Setting
  • Service
  • NAT-T
  • Debug


L2TP 介紹


The entire L2TP packet, including payload and L2TP header,

  is sent within a User Datagram Protocol (1701/UDP) datagram.

It does not provide any encryption or confidentiality by itself. (所以有 PPP/L2TP)

  Rather, it relies on an encryption protocol that it passes within the tunnel to provide privacy.(L2TP/IPsec)

LAC (L2TP Access Concentrator)
LNS (L2TP Network Server)

To be useful for networking, higher-level protocols are then run through the L2TP tunnel.

It is common to carry PPP sessions within an L2TP tunnel.

The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel.

* control packets or data packets

L2TP/IPsec Startup Step

1. SA-IKE(500/UDP)

2. ESP in transport mode (50/IP)

3. Negotiation and establishment of L2TP


Windows Auto connect VPN Setting



Setup Step

[1] Options tab -> uncheck the

  • Display progress while connecting
  • Prompt for username
  • retry: 0

[2] taskschd.msc -> Create task

Give the task a name .e.g "Auto-start VPN"

Select "Run whether user is logged in or not"

Select "Run with the highest privileges"

"triggers tab" -> click "New" -> Select "At Startup"

Click on the "Actions tab" -> click New

program script box: "C:\Windows\System32\rasphone.exe"

optional arguments: "-d connectionname" (without the quotes !!)

Click on the Conditions tab and clear any boxes which are checked.






Service: PolicyAgent

Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

如果此 Service Stop 了, 那會 connect 唔到 VPN


net start PolicyAgent






AssumeUDPEncapsulationContextOnSendRule [DWORD (32-bit)]

  • 0 cannot establish security associations with servers that are located behind NAT devices. (Default)
  • 1 establish security associations with servers that are located behind NAT devices
  • 2 establish security associations when both the server and the client are behind NAT devices





Client -> Server

# Debug: On Server
# x.x.x.x = Client IP

tcpdump -i wan esp                                               # 沒有 traffic 的

tcpdump -i wan udp port 500 and src x.x.x.x           # connection startup 時有 package (isakmp)

tcpdump -i wan udp port 4500 and src x.x.x.x         # 所有 traffic 都係行此 port (ipsec-nat-t)