Setup of a VPN With IPsec And an L2TP Tunnel

Versions 3.0 & 5.0

Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0, 4i Edge 5.0
Updated on: 13th May 2014

This lesson is for release 3.0. If you are running version 2.5.X, please refer to this lesson.

L2TP, the Layer Two Tunneling Protocol, is described in RFC 2661. In a nutshell, it is a protocol that allows a tunnel connection that carries PPP packets. It is used to support VPN connections using IPsec. It can be used for all the devices that support tunneled connection with IPsec, like Android smartphones and Apple's iPad, iPhone, and iOS.

From this lesson, you will learn how to quickly set up on your Endian UTM appliance, an IPsec server using L2TP and password-based (PSK) authentication.


If you prefer to set up an IPsec server using L2TP and certificate-based authentication, please refer to the IPSec VPN - How to Create a Roadwarrior Connection lesson.

Setting up and Enabling L2TP


The set up of a L2TP tunnel is straightforward and you can achieve it in a few steps:

  1. Go under Menubar ‣ VPN ‣ IPsec ‣ L2TP.
  2. A green switch signs that L2TP support is enabled. If it is gray, click on it and wait a few seconds.
  3. Choose to which zone should the L2TP tunnel connections be directed. You can choose only among the zones that have been activated.
  4. Choose a pool of IP addresses that should be assigned to the clients connecting through L2TP. These interval should fall within the IP addresses allocated to the zone chosen in step 3.
  5. Optionally, you can activate the debug mode, which results in more messages to be logged.


If you try to define a range of IP addresses which is not encompassed in the chosen zone, the entries you have defined will not be accepted. Instead, a warning message will inform you of the possible values that can be specified in the range.

Finally, you can save the configuration by clicking on the Save button and then on Apply in the green callout that will appear after saving the configuration.

Configuring IPsec With a L2TP Tunnel.


After the L2TP tunnel has been enabled, you are just a few more steps away to enable IPsec with the L2TP tunnel.

  1. Click on to the IPsec sub-menu item.
  2. A green switch signs that IPsec is enabled. If it is gray, click on it and wait a few seconds.
  3. Choose the certificate that shall be used by the clients to connect. It can be downloada by clicking on the Download PEM file link.
  4. You can optionally click on "Debug Options" to open a panel with several debugging options that can be activated. These option are used
  5. Click on the Save button to start the configuration of the VPN.
  6. After the configuration for IPsec has been saved, click on Add new connection to select and configure the type of connection.

Selecting and Configuring the Connection Type


In this panel, you can configure how the client connects to the IPsec server:

  1. Choose a name for the connection.
  2. Select the type of connection: L2TP Host-to-Net (roadwarrior using L2TP).
  3. Choose the authentication type: Password (PSK).
  4. Provide a strong password.
  5. Select the external interface that the Endian UTM Appliance will use for listening for incoming connections.
  6. To enable the account, tick also the checkbox, otherwise the account can not be used for connecting.

Once you're done, click on Add to store the settings.


The password you enter will be visible on screen, so make sure nobody is peeping above your shoulders!

Completing the Tunnel' Setup


You are now done! The new connection will appear as "CLOSED" until a client connects, in which case the connection' Status will become "OPEN".

Creating L2TP Users (1/3)


After the VPN connection and the L2TP tunnel have been created, the only piece missing to set up the VPN/IPsec connection is represented by the L2TP users. To create new L2TP users:

  1. Go under Menubar ‣ VPN ‣ Authentication ‣  Users.
  2. Click on Add new local user.

Creating L2TP Users (2/3)


 In this step you start the creation of the new L2TP user, by supplying:

  1. The username.
  2. The password, to be typed twice. Click on the checkboxes on the right-hand side to show the password.

Then, scroll down the page and proceed to the next step.

Creating L2TP Users (3/3)


In this last step, you will finish the creation of the L2TP user:

  1. Check the Override L2TP options checkbox.
  2. In the LT2P options panel, choose the IPsec Tunnel to be used.
  3. Click on the Enable checkbox to activate the user.

To finalise the user creation, click on the Add button.

Configuring The Client to Connect to The Server.

In order to verify if the server is reachable, you need to configure clients with the data that you have provided here, namely username and password of the L2TP users, the IP address or hostname of the Endian UTM Appliance, and the PSK Secret, which is the pre_shared_key you have entered in Section Selecting and Configuring the Connection Type.

You can find in this knowledge base lessons to configure IPSec clients for devices running Android, iOS, and Windows7.

Have more questions? Submit a request


  • Avatar

    The "Selecting and Configuring the Connection Type" step is missing instructions about the "Local subnets" field, which is mandatory.