All L2TP and Dial-In User Fields

Configure L2TP Layer 2 Tunneling Protocol policies and dial-in users on VPN > IPsec > L2TP Policies.

Step 1 of 2

 

Policy Name

Type a string that is unique to this policy. The string can include 1 to 15 alphanumeric characters.

IKE Policy

Select a previously configured IKEv1 policy. The list displays only client-to-site IKEv1 policies. Configure IKEv1 policies on VPN > IPsec > IKEv1 Policies.

Step 2 of 2

 

Proposal

Select a previously configured IPsec proposal. The list displays only transport-mode IPsec proposals with the ESP Encapsulating Security Protocol protocol. Configure IPsec proposals on VPN > IPsec > IPsec Proposals.

SA Security Association Lifetime in seconds

Type the number of seconds that the L2TP SA is kept open. Valid values are between 300 seconds (5 minutes) and 86400 seconds (1 day).

SA Lifetime in kilobytes

Type a number between 2560 KB and 4194304 KB (4.2 GB). Default is 0.

This setting determines when an SA expires based on the amount of data passed over it rather than by time. (The more traffic sent over a connection, the better chance an attacker has at cracking a key).

The Threat Management Services (TMS) zl Module checks an L2TP SA for inactivity when the SA has transmitted and received 80 percent of the allowed bandwidth in KB. If the SA is active, the module renegotiates it, deleting the old SA when the new one is established. The module deletes an inactive SA if it is still inactive when the total lifetime in kilobytes is reached.

The default value of 0 means that the SA does not have a lifetime in kilobytes.

If you specify the SA lifetime both in seconds and in kilobytes, the module checks the SA for activity when the first limit is reached.

Enable PFS Perfect Forward Secrecy for keys

Select to enable perfect forward security for keys, which forces the tunnel endpoints to generate new keys for the IPsec SA. In the list that is displayed, select one of the following Diffie-Hellman groups:

  • Group 1 (768)

  • Group 2 (1024)

  • Group 5 (1536)

Enable IP Compression

When you enable this feature, the TMS zl Module compresses IP packets before encryption, which can help to increase network performance.

 

All Dial-In User Fields

Step 1 of 3

 

Dial-In User Name

A string that is unique to this policy and that identifies the policy. The string can include 1 to 15 alphanumeric characters.  This is not the login username.

Server IP Address/Subnet Mask

The IP address and subnet of the TMS zl Module in its capacity as LNS L2TP Network Server. This is a virtual IP address in an unused subnet that is not configured on the module or the host switch. This address will be placed in EXTERNAL automatically.

User IP Address

The IP address that the remote client will use while on the local network. This IP address must be on the same subnet as the LNS address that you configured in the previous step, and it must be unique to the user. This address will be placed in EXTERNAL automatically.

Authentication

You can use this additional layer of authentication if desired.

  • No Authentication

  • Authentication Peer — The TMS zl Module must authenticate the remote host.

  • Authentication With Peer — The remote host must authenticate the TMS zl Module.

  • Both — The hosts must authenticate each other.

  • Shared Secret — Type a string. This string must also be configured in the Windows registry of the L2TP client.

Step 2 of 3

 

Policy Group Name

An empty user group that is configured on the TMS zl Module. Configure user groups on Network > Authentication > Local Users.

Authentication Protocol

The protocol that is used to authenticate the client:

  • Any

  • PAP Password Authentication Protocol

  • CHAP Challenge Handshake Authentication Protocol

  • MS Microsoft -CHAPv1

  • None

User

The login username for the remote client.

Password

The login password for the remote client.

Step 3 of 3

 

Optional Settings

The TMS zl Module will assign these parameters to the L2TP clients while they are on the local network.

Default Gateway

The IP address that you specified for Server IP Address/Subnet Mask, but without the subnet mask.

Primary and Secondary DNS Servers

The IP addresses of DNS servers that the remote client can use to resolve hostnames while visiting the internal network. The secondary DNS server is optional.

Primary and Secondary WINS Servers

The IP addresses of WINS servers (if your network uses WINS). These settings are optional.