Global
On the L2TP over IPsec > Global tab you can configure basic options for setting up remote access via L2TP Layer Two (2) Tunneling Protocol over IPsec Internet Protocol Security.
Note – By default, the 96-bit Android-friendly version of L2TP authentication is enabled. If you want to follow the official RFC (e.g. to use L2TP with Nokia Smartphones), see the Sophos Knowledge Base.
To use L2TP over IPsec, proceed as follows:
-
On the Global tab enable L2TP over IPsec.
Click the toggle switch.
The toggle switch turns amber and the Server Settings and IP Address Assignment area becomes editable.
-
Specify the following settings:
Interface: Select the network interface to be used for L2TP VPN Virtual Private Network access.
Note: If you use uplink balancing, only the primary interface that is up will be used for L2TP traffic.
Authentication mode: You can choose between the following authentication modes:
-
Preshared key: Enter a password which is subsequently used as preshared key. The Preshared Key method makes use of a shared secret that is exchanged by the communicating parties prior to the communication taking place. To communicate, both parties prove that they know the secret. The shared secret is a secure phrase or password that is used to encrypt the traffic using the encryption algorithm for L2TP. For best security, you should take appropriate measures to increase the strength of the shared secret. The security of a shared secret depends on the quality of the password and how securely it has been transmitted. Passwords consisting of common words are extremely vulnerable to dictionary attacks. For that reason, the shared secret should be quite long and contain a variety of letters, capital letters, and numbers. Consequently, using a preshared secret as an authentication method should be replaced by certificates whenever possible.
Note – If you want to enable access for iOS devices you need to select Preshared Key because iOS devices only support PSK authentication.
-
X.509 CA check: X.509 certificates ease the process of exchanging public authentication keys in large VPN setups with a lot of participants. A so-called CA Certificate Authority gathers and checks the public keys of the VPN endpoints and issues a certificate for each member. The certificate contains the peer's identity along with its public key. Because the certificate is digitally signed, no one else can issue a forged certificate without being detected.
During the key exchange, certificates are exchanged and verified using locally stored CA public keys. The actual authentication of the VPN endpoints is then done by using public and private keys. If you want to use this authentication mode, select an X.509 certificate.
Note that for X.509 authentication to work, you need to have a valid CA configured on the Remote Access > Certificate Management > Certificate Authority tab.
Assign IP addresses by: IP addresses can be either assigned from a predefined IP address pool or distributed automatically by means of a DHCP server:
-
Pool network: By default, IP Address Pool is selected as IP address assignment, having the pre-defined VPN Pool (L2TP) network definition selected as the Pool Network. The VPN Pool (L2TP) is a randomly generated network from the 10.x.x.x IP address space for private Internets, using a class C subnet. It is normally not necessary to ever change this, as it ensures that the users have a dedicated pool of addresses to make connections from. If you want to use a different network, you can simply change the definition of the VPN Pool (L2TP), or assign another network as IP address pool here. Note that the netmask is limited to a minimum of 16.
Note – If you use private IP addresses for your L2TP VPN Pool and you want IPsec hosts to be allowed to access the Internet, appropriate masquerading or NAT rules must be in place for the IP address pool.
-
DHCP server: If you select DHCP server, also specify the network interface through which the DHCP server is connected. The DHCP Dynamic Host Configuration Protocol server does not have to be directly connected to the interface—it can also be accessed through a router. Note that the local DHCP server is not supported; the DHCP server selected here must be running on a physically different system.
-
-
Click Apply.
Your settings will be saved.
The switch turns green.
To cancel the configuration, click the amber colored toggle switch.
Access Control
Authentication via: L2TP remote access only supports local and RADIUS Remote Authentication Dial In User Service authentication.
-
Local: If you select Local, specify the users and user groups who should be able to use L2TP remote access. It is not possible to drag backend user groups into the field. For local users you need to add users in the usual way and enable L2TP for them. If no users or groups are selected, L2TP remote access is turned off. For how to add new users or groups, see Definitions & Users > Users & Groups > Users.
Note – Username and password of the selected users may only contain ASCII printable characters1.
Note – Similar to SSL Secure Sockets Layer VPN Virtual Private Network the Remote Access menu of the User Portal is only available to users who are selected in the Users and groups box and for whom a user definition does exist on Sophos UTM. Depending on the authentication mode, authorized users who have successfully logged in to the User Portal find the IPsec pre-shared key (authentication mode Preshared key) or the PKCS#12 file (authentication mode X.509 CA Check) as well as a link to installation instructions, which are available at the Sophos Knowledge Base).
- RADIUS: If you select RADIUS, the authentication requests are forwarded to the RADIUS Remote Authentication Dial In User Service server. The L2TP module sends the following string as NAS Network Access Server-ID Identity to the RADIUS server: l2tp.
The authentication algorithm gets automatically negotiated between client and server. For local users, Sophos UTM supports the authentication protocol MSCHAPv2.
For RADIUS users, Sophos UTM supports the following authentication protocols: