Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Create an L2TP remote access connection

You want to create a remote access L2TP connection.

Introduction

To create the L2TP connection, do as follows:

  • Turn on L2TP VPN connections, and specify your settings.
  • Create your L2TP policy.
  • Set route precedence.
  • Create a firewall rule to allow inbound VPN traffic.

Create an L2TP connection

  1. Go to Remote access VPN > L2TP and click L2TP global settings.

    Show VPN settings link.

  2. Select Enable L2TP to turn on L2TP connections.

  3. Specify the general settings:

    Name Description
    Assign IP from Enter the IP address range to lease.
    Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client

    This setting is optional.

    Select this if you want to lease IP addresses through RADIUS.

  4. Specify the client information:

    Name Description
    Primary DNS server Select a DNS server from the drop-down list, or specify the DNS server by selecting Other and typing the server's address.
    Secondary DNS server

    This setting is optional.

    Select a DNS server from the drop-down list, or specify the DNS server by selecting Other and typing the server's address.

    Primary WINS server

    This setting is optional.

    Enter the IP address of your primary WINS server.

    Secondary WINS server

    This setting is optional.

    Enter the IP address of your secondary WINS server.

  5. Click Add members.

    Add members button.

  6. Select your users and groups, then click Add.

    Screen showing the users and groups you can select.

  7. Click Apply.

    The following image shows example settings.

    Example L2TP general settings and client information.

Create an L2TP policy

  1. Go to Remote access VPN > L2TP and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Name Description
    Profile IPsec profile to use for the traffic.
    Gateway type

    Action to take when the VPN service or the firewall restarts:

    Disable: Connection remains inactive until a user activates it.

    Respond only: Keeps the connection ready to respond to any incoming request.

  4. Specify authentication settings.

    Name Description
    Authentication type

    Authentication to use for the connection.

    Preshared key: Authenticates endpoints using the secret known to both endpoints.

    Digital certificate: Authenticates endpoints by exchanging certificates (locally-signed or issued by a certificate authority).

  5. Specify local network details.

    Name Description
    Local WAN port Select a WAN port, which acts as the endpoint for the tunnel.
    Local ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.
  6. Specify remote network details.

    Name Description
    Remote host IP address or hostname of the remote endpoint. To specify any IP address, type “*”.
    Allow NAT traversal Enable NAT traversal if a NAT device exists between your endpoints, that is, when the remote peer has a private or non-routable IP address.
    Remote subnet Remote networks to which you want to provide access.
    Remote ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.
  7. Specify quick mode selectors.

    Name Description
    Local port Port that the local peer uses for TCP or UDP traffic. To specify any port, type *.
    Remote port Port that the remote peer uses for TCP or UDP traffic. To specify any port, type *.
  8. Specify the advanced settings:

    Name Description
    Disconnect when tunnel is idle Disconnects idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which the firewall disconnects idle clients.
  9. Click Save.

    The following images show example settings.

    Example L2TP settings.

    Example L2TP settings.

  10. Click the red icon under the Active column to start the connection. Once connected, it'll show up as green.

    Here's an example:

    VPN connection status showing as connected.

To configure an L2TP connection on Windows 10, see Configure an L2TP connection for Windows 10.

Set route precedence

The default route precedence is static routes, followed by SD-WAN policy routes, then VPN routes. To establish L2TP connection, VPN routes must come first, followed by static routes and SD-WAN policy routes in any order.

  1. Sign in to the firewall's CLI.
  2. Enter 4 to select Device Console.
  3. Run system route_precedence set vpn static sdwan_policyroute.
  4. Run system route_precedence show to check that VPN routes come first.

Create a firewall rule

  1. Go to Rules and policies > Firewall rules, and click IPv4.
  2. Click Add firewall rule, then click New firewall rule.
  3. Configure the rule as follows:

    Name Description
    Rule name VPN-LAN
    Source zones VPN
    Source networks and devices Any
    Destination zones LAN
    Destination networks Any
    Services Any

    Example:

    Example firewall rule settings.

  4. Click Save.

    To allow the remote host to access the internet through Sophos Firewall, create a firewall rule with VPN as the source zone and WAN as the destination zone.

More resources