Configuring L2TP Settings
This chapter describes how to enable L2TP, configuring basic settings and access control.
Open the Remote Access > L2TP over IPsec > Global tab.
Enable L2TP over IPsec.
Enable L2TP over IPsec remote access by clicking the Enable button.
The toggle switch turns amber and the page becomes editable.
Server Settings and IP Address Management
In the Server Settings and IP Address Management section, make the following settings:
Interface: Select the network interface to use for L2TP access.
Note – If you use uplink balancing, only the primary interface that is up will be used for L2TP traffic.
Authentication mode: L2TP over IPsec remote access supports authentication based on Preshared keys or X.509 CA check:
With this method you can use L2TP over IPsec as an easy PPTP alternative in Windows XP.
Preshared key: Enter the shared secret. This shared secret is a secure phrase or password that is used to set up a secure tunnel.
Repeat: Confirm the shared secret.
Security Note: Use a secure password. Ensure that this password does not fall into the hands of unauthorized third parties. With this password, an attacker can build a connection to the internal network. We recommend changing this password at regular intervals.
X.509 CA check
Certificate: Select the local X.509 certificate to authenticate the server.
Assign IP addresses by: During connection establishment, user clients get an IP address. The IP address can be taken from a predefined IP address pool or it can be requested from a DHCP server.
IP address pool
Pool network: The default settings assign addresses from the private IP space 10.242.3.x/24. This network is called the VPN Pool (L2TP). If you wish to use a different network, simply change the definition of the VPN Pool (L2TP) on the Definitions & Users > Network Definitions page. Alternatively, you can create another IP address pool by clicking the Plus icon.
Note: If you wish the L2TP-connected users to be allowed to access the internet, you additionally need to define appropriate Masquerading or NAT rules.
DHCP server: Select the DHCP server here. Please note that the local DHCP server is not supported. The DHCP server to be specified here must be running on a physically different system. Clicking the Folder icon opens a list that displays all networks and hosts that had been defined on the Definitions & Users > Network Definitions page.
Via interface: Define the network card through which the DHCP server is connected. Note that the DHCP does not have to be directly connected to the interface–it can also be accessed through a router.
Click Apply to save your settings.
The switch turns green. L2TP over IPsec is active now.
L2TP remote access supports Local and RADIUS authentication. For users using other authentication methods remote access will not work. For local users, UTM supports the authentication protocols MS-CHAPv2 and PAP (local authentication). By default, a MS Windows client negotiates MS-CHAPv2.
You can use RADIUS authentication, if you have defined a RADIUS server on the Definitions & Users > Authentication Servers > Servers tab. In conjunction with RADIUS authentication, UTM supports the authentication protocols MS-CHAPv2, MS-CHAP, CHAP, and PAP. The authentication requests are forwarded to the RADIUS server. The L2TP module sends the following string as NAS-ID to the RADIUS server: l2tp. The authentication algorithm gets automatically negotiated between client and server.
Cross Reference: The configuration of the Microsoft IAS RADIUS server and the configuration of RADIUS within WebAdmin is described in the UTM administration guide under Definitions & Users.
In the Access Control section, select an authentication method.
Authentication via: Select the authentication method.
Users and groups: When using Local authentication, please also select the users and groups that should be able to use L2TP remote access.
Click Apply to save your settings.
Cross Reference: For more information about remote access go to Remote Access in the UTM administration guide.