Applies to Platform: UTM 2.5, 4i Edge 2.5
Updated on: 21st June 2012
L2TP, the Layer Two Tunneling Protocol, is described in RFC 2661. In a nutshell, it is a protocol that allows a tunnel connection that carries PPP packets. It is used to support VPN connections using IPsec. It can be used for all the devices that support tunneled connection with IPsec, like Android smartphones and Apple's iPad, iPhone, and iOS.
From this lesson, you will learn how to quickly set up on your Endian UTM appliance an IPsec server using L2TP and password-based (PSK) authentication.
Setting up and enabling L2TP
The set up of a L2TP tunnel is straightforward and you can achieve in a few steps:
- Go under Menubar ‣ VPN ‣ L2TP.
- Tick the checkbox to enable L2TP support.
- Choose to which zone should the L2TP tunnel connections be directed. You can choose only among the zones that have been activated.
- Choose a pool of IP addresses that should be assigned to the clients connecting through L2TP. These interval should fall within the IP addresses allocated to the zone chosen in step 3.
- Optionally, you can activate the debug mode, which results in more messages to be logged.
Finally, you can save the configuration by clicking on the Save button and then on Apply in the green callout that will appear after saving the configuration.
Configuring IPsec with a L2TP tunnel.
After the L2TP tunnel has been enabled, you are just a few more steps away to enable IPsec with the L2TP tunnel.
- Click on to the IPsec sub-menu item to open the page to configure IPsec, which consists of three boxes.
- In the first box, click on the checkbox to enable the VPN connections using IPsec.
- You can optionally click on any of the four checkboxes to enable some debugging option, which will result in a more verbose logging.
- In the second box, click on the Add button to start the configuration of the VPN.
Choosing the connection type
In the first panel, choose the type of connection to be used, which is in this case the third option (1), i.e., a "roadwarrior using L2TP", then click on Add.
Configure VPN account (Part 1 of 2)
The first step is to configure the VPN account by providing the (1) Name and (2) External Interface to use for listening for incoming VPN connection. To enable the account, tick also the checkbox (3), otherwise the account can not be used for connecting.
Configure VPN Account (Part 2 of 2)
The second part of the VPN account creation requires to provide a strong password (1) for authentication.
Once you're done, click on Save to store the settings.
Completing the tunnel' setup
You are now done! The new connection will appear as "CLOSED" until a client connects, in which case the connection' Status will become "OPEN".
Creating L2TP users (1/3)
After the VPN connection and the L2TP tunnel have been created, the only piece missing to set up the VPN/IPsec connection is represented by the L2TP users.
To create new L2TP users, go under Menubar ‣ VPN ‣ VPN Users (1), then click on Add new User (2).
Creating L2TP users (2/3)
In this step you define the name (1) and the password (2) for the VPN user. Make also sure that you check the L2TP (3) and Enabled (4) checkboxes to activate a new L2TP user. Finally, click on Advanced Settings to proceed to the last step.
Creating L2TP users (3/3)
In this last step, click on L2TP options (1) to show the last option: the choice of the IPsec tunnel to be used from the dropdown menu (2) and finalise the user creation by clicking on the Add button.
Configuring client to connect to the server.
In order to verify if the server is reachable, you need to configure clients with the data that you have provided here, namely username and password of the L2TP users, the IP address or hostname of the Endian UTM Appliance, and the PSK Secret, which is the pre_shared_key you have entered in Section Configure VPN Account (Part 2 of 2).
You can find in this knowledge base lessons to configure IPSec clients for devices running Android, iOS, and Windows7.