Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=remote-access-VPN-L2TP-add

Add an L2TP policy

You can configure remote access L2TP policies.

  1. Go to Remote access VPN > L2TP and click Add.
  2. Enter a name.

  3. Specify the general settings:

    Name Description
    Profile IPsec profile to use for the traffic.
    Gateway type

    Disable: Connection remains inactive until a user activates it.

    Respond only: Keeps the connection ready to respond to any incoming request.

  4. Specify the authentication settings:

    Name Description
    Authentication type

    Preshared key: Authenticates endpoints using the secret known to both endpoints.

    The last configured connection using a preshared key (PSK) replaces the PSK of all connections between its listening interface and remote gateway.

    Digital certificate: Authenticates endpoints by exchanging certificates (locally-signed or issued by a certificate authority).

  5. Specify the local network details:

    Name Description
    Local WAN port Select a WAN port, which acts as the endpoint for the tunnel.
    Local ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

  6. Specify the remote network details:

    Name Description
    Remote host

    IP address or hostname of the remote endpoint. To specify any IP address, you can enter a wildcard address (*).

    If you've specified a PSK and a wildcard address, the PSK replaces the PSK in all existing configurations with the same local-remote gateway combination. This impacts remote access VPNs in particular because their remote gateway is considered a wildcard address.
    Allow NAT traversal Enable NAT traversal if a NAT device exists between your endpoints, that is, when the remote peer has a private or non-routable IP address.
    Remote subnet Remote networks to which you want to provide access.
    Remote ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

  7. Specify the QuickHA mode settings:

    Name Description
    Local port Port that the local peer uses for TCP or UDP traffic. To specify any port, enter a wildcard (*).
    Remote port Port that the remote peer uses for TCP or UDP traffic. To specify any port, enter a wildcard (*).

  8. Specify the advanced settings:

    Name Description
    Disconnect when tunnel is idle Disconnects idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which the firewall disconnects idle clients.

  9. Click Save.