PST L2TP/IPsec VPN - Manual Setup Guide
========================================

Connection Details:
-------------------
VPN Name: PST-NW-VPN
Server: 64.139.88.249
Type: L2TP/IPsec with Pre-Shared Key
Username: pst-admin
Password: 24Hearts$
Pre-Shared Key (PSK): rrClvnmUeXEFo90Ol+z7tfsAZHeSK6w7


AUTOMATED SETUP (RECOMMENDED):
===============================
Run as Administrator in PowerShell:
  cd D:\ClaudeTools
  .\Setup-PST-L2TP-VPN.ps1

This will:
- Create the VPN connection (all users)
- Configure L2TP/IPsec with PSK
- Save credentials
- Set up auto-connect at startup


MANUAL SETUP:
==============

Method 1: Using PowerShell (Quick)
-----------------------------------
Run as Administrator:

# Create VPN connection
Add-VpnConnection -Name "PST-NW-VPN" -ServerAddress "64.139.88.249" -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod MSChapv2 -L2tpPsk "rrClvnmUeXEFo90Ol+z7tfsAZHeSK6w7" -AllUserConnection -RememberCredential -Force

# Connect and save credentials
rasdial "PST-NW-VPN" pst-admin 24Hearts$

# Disconnect
rasdial "PST-NW-VPN" /disconnect


Method 2: Using Windows GUI
----------------------------
1. Open Settings > Network & Internet > VPN
2. Click "Add VPN"
3. VPN provider: Windows (built-in)
4. Connection name: PST-NW-VPN
5. Server name or address: 64.139.88.249
6. VPN type: L2TP/IPsec with pre-shared key
7. Pre-shared key: rrClvnmUeXEFo90Ol+z7tfsAZHeSK6w7
8. Type of sign-in info: User name and password
9. User name: pst-admin
10. Password: 24Hearts$
11. Check "Remember my sign-in info"
12. Click Save


PRE-LOGIN AUTO-CONNECT SETUP:
==============================

Option 1: Task Scheduler (Recommended)
---------------------------------------
1. Open Task Scheduler (taskschd.msc)
2. Create Task (not Basic Task)
3. General tab:
   - Name: PST-VPN-AutoConnect
   - Run whether user is logged on or not
   - Run with highest privileges
4. Triggers tab:
   - New > At startup
   - Delay task for: 30 seconds (optional)
5. Actions tab:
   - Action: Start a program
   - Program: C:\Windows\System32\rasdial.exe
   - Arguments: "PST-NW-VPN" pst-admin 24Hearts$
6. Conditions tab:
   - Uncheck "Start only if on AC power"
7. Settings tab:
   - Check "Run task as soon as possible after scheduled start is missed"
8. Click OK


Option 2: Startup Script
-------------------------
Create: C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\connect-vpn.bat

Content:
@echo off
timeout /t 30 /nobreak
rasdial "PST-NW-VPN" pst-admin 24Hearts$

Then:
1. Run gpedit.msc
2. Computer Configuration > Windows Settings > Scripts > Startup
3. Add > Browse > Select connect-vpn.bat
4. OK


TESTING:
========

Test Connection:
rasdial "PST-NW-VPN"

Check Status:
rasdial

Disconnect:
rasdial "PST-NW-VPN" /disconnect

View Connection Details:
Get-VpnConnection -Name "PST-NW-VPN" -AllUserConnection


VERIFY PRE-LOGIN:
=================
1. Reboot the computer
2. At the login screen, press Ctrl+Alt+Del
3. Click the network icon (bottom right)
4. You should see "PST-NW-VPN" listed
5. It should show as "Connected" if auto-connect worked


TROUBLESHOOTING:
================

Connection fails:
- Check server address: ping 64.139.88.249
- Verify Windows Firewall allows L2TP (UDP 500, 1701, 4500)
- Try disabling "Require encryption" temporarily

Error 789 (L2TP connection attempt failed):
- Windows Firewall may be blocking
- Registry fix required for NAT-T

Registry Fix for NAT-T (if needed):
Run as Administrator:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 2 /f

Then reboot.

Error 691 (Access denied):
- Check username/password
- Verify server allows L2TP connections

Can't see VPN at login screen:
- Ensure connection was created with -AllUserConnection flag
- Verify RasMan service is running: services.msc
- Check "Remote Access Connection Manager" is set to Automatic


REMOVING VPN:
=============

Remove VPN connection:
Remove-VpnConnection -Name "PST-NW-VPN" -AllUserConnection -Force

Remove auto-connect task:
Unregister-ScheduledTask -TaskName "PST-VPN-AutoConnect" -Confirm:$false


SECURITY NOTES:
===============
- Credentials are stored in Windows Credential Manager
- PSK is stored in the VPN connection settings
- For maximum security, use certificate-based auth instead of PSK
- The scheduled task contains password in plain text - secure task XML file permissions


ADVANTAGES OVER OPENVPN:
========================
- Built into Windows (no third-party software)
- Native pre-login support
- Simple configuration
- Managed through Windows settings
- Works with Windows RAS/RRAS services