Follow

Setup of a VPN with IPsec and an L2TP tunnel

Applies to Platform: UTM 2.5, 4i Edge 2.5
Updated on: 21st June 2012

L2TP, the Layer Two Tunneling Protocol, is described in RFC 2661. In a nutshell, it is a protocol that allows a tunnel connection that carries PPP packets. It is used to support VPN connections using IPsec. It can be used for all the devices that support tunneled connection with IPsec, like Android smartphones and Apple's iPad, iPhone, and iOS.

From this lesson, you will learn how to quickly set up on your Endian UTM appliance an IPsec server using L2TP and password-based (PSK) authentication.

Note

If you prefer to set up an IPSec server using L2TP and certificate-based authentication, please refer to the IPSec VPN - How to Create a Roadwarrior Connection lesson.

Setting up and enabling L2TP

?name=media_1331630748789.png

The set up of a L2TP tunnel is straightforward and you can achieve in a few steps:

  1. Go under Menubar ‣ VPN ‣ L2TP.
  2. Tick the checkbox to enable L2TP support.
  3. Choose to which zone should the L2TP tunnel connections be directed. You can choose only among the zones that have been activated.
  4. Choose a pool of IP addresses that should be assigned to the clients connecting through L2TP. These interval should fall within the IP addresses allocated to the zone chosen in step 3.
  5. Optionally, you can activate the debug mode, which results in more messages to be logged.

Note

If you try to define a range of IP addresses which is not encompassed in the chosen zone, the entries you have defined will not be accepted. Instead, a warning message will inform you of the possible values that can be specified in the range.

Finally, you can save the configuration by clicking on the Save button and then on Apply in the green callout that will appear after saving the configuration.

Configuring IPsec with a L2TP tunnel.

?name=media_1331632848649.png

After the L2TP tunnel has been enabled, you are just a few more steps away to enable IPsec with the L2TP tunnel.

  1. Click on to the IPsec sub-menu item to open the page to configure IPsec, which consists of three boxes.
  2. In the first box, click on the checkbox to enable the VPN connections using IPsec.
  3. You can optionally click on any of the four checkboxes to enable some debugging option, which will result in a more verbose logging.
  4. In the second box, click on the Add button to start the configuration of the VPN.

 

Choosing the connection type

?name=media_1331634759205.png

In the first panel, choose the type of connection to be used, which is in this case the third option (1), i.e., a "roadwarrior using L2TP", then click on Add.

Note

The VPN account is used by all the clients that will use the L2TP connection. While this might seem counterintuitive for the security of the channel, it is in reality only a means to identify the client that connects, and not the user.

Configure VPN account (Part 1 of 2)

?name=media_1331636273916.png

The first step is to configure the VPN account by providing the (1) Name and (2) External Interface to use for listening for incoming VPN connection. To enable the account, tick also the checkbox (3), otherwise the account can not be used for connecting.

Configure VPN Account (Part 2 of 2)

?name=media_1331637005260.png

The second part of the VPN account creation requires to provide a strong password (1) for authentication.

Once you're done, click on Save to store the settings.

Warning

The password you enter will be visible on screen, so make sure nobody is peeping above your shoulders!

Completing the tunnel' setup

?name=media_1331637277801.png

You are now done! The new connection will appear as "CLOSED" until a client connects, in which case the connection' Status will become "OPEN".

Creating L2TP users (1/3)

?name=media_1331651710888.png

After the VPN connection and the L2TP tunnel have been created, the only piece missing to set up the VPN/IPsec connection is represented by the L2TP users.

To create new L2TP users, go under Menubar ‣ VPN ‣ VPN Users (1), then click on Add new User (2).

Creating L2TP users (2/3)

?name=media_1331652608585.png

In this step you define the name (1) and the password (2) for the VPN user. Make also sure that you check the L2TP (3) and Enabled (4) checkboxes to activate a new L2TP user. Finally, click on Advanced Settings to proceed to the last step.

Creating L2TP users (3/3)

?name=media_1331653001943.png

In this last step, click on L2TP options (1) to show the last option: the choice of the IPsec tunnel to be used from the dropdown menu (2) and finalise the user creation by clicking on the Add button.

 

Configuring client to connect to the server.

In order to verify if the server is reachable, you need to configure clients with the data that you have provided here, namely username and password of the L2TP users, the IP address or hostname of the Endian UTM Appliance, and the PSK Secret, which is the pre_shared_key you have entered in Section Configure VPN Account (Part 2 of 2).

You can find in this knowledge base lessons to configure IPSec clients for devices running Android, iOS, and Windows7.

 
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Christian Herdegen

    i dont have the Option to enable L2TP connection.

     

    i am using Endian 2.4 Software applicance with advanced maintanance.

     

    is L2TP only avaiable with endian 2.5?

  • Avatar
    Daniele De Lorenzi

    Yes, L2TP is a new feature introduced with the 2.5 release

  • Avatar
    Tecnico

    it doesn't seem to work with Windows XP, that (I think) use DH group 1 (768-bit key) not supported by Endian. Does exists a client for XP?

  • Avatar
    Jorge Cabello

    Hi I stab well with the 2.4 now with 2.5.1 ipsec tunnels do not connect with router Draytek 2710 series

    how to Solve this problem? I have many clients with ipsec tunnels and i need Work with this   thanks ;)