Example 6b: Configure an L2TP over IPsec VPN with Windows 2000/XP Default Values

This is the same configuration as in Example 6, except that the configuration uses Windows 2000/XP default values instead of creating a new IPsec policy.

 

TMS zl Module

Windows XP VPN Client

  1. Create the L2TP user group.

  1. Select Network > Authentication > Local Users.

  2. Click Add Group.

  3. For Group Name, type L2TPuserGP and click OK.

  1. Create the IKEv1 policy.

  1. Select VPN > IPsec > IKEv1 Policies.

  2. Click Add IKE Policy.

  3. For IKE Policy Name, type remoteL2TP.

  4. For IKE Policy Type, select Client-to-Site (Responder).

  5. For Local Gateway, select Use VLAN IP Address and select VLAN22.

  6. For Local ID, select IP Address from the Type list, then type 172.24.22.99 in the box.

  7. For Remote ID, select IP Address from the Type list, then type 0.0.0.0 in the box. This wildcard address permits multiple clients to use the policy.

  8. Click Next.

  1. Under IKE Authentication, configure these settings:

  1. For Key Exchange Mode, select Main Mode.

  2. For Authentication Method, select Preshared Key.

  3. For Preshared Key and Confirm Preshared Key, type WindowsL2tpKEY.

  1. Under Security Parameters Proposal, configure the security settings that will be proposed by the Threat Management Services (TMS) zl Module for the IKE SA. You can use one of the following combinations:

 

DH Group

Encryption Algorithm

Authentication Algorithm

Windows 2000

2

3DES

MD5

1

DES

SHA-1

1

DES

MD5

Windows XP

2

3DES

MD5

2

3DES

SHA-1

1

DES

MD5

1

DES

SHA-1

  1. For SA Lifetime in seconds, type 28800 seconds (8 hours).

  2. Click Next.

  3. Accept the default: Disable XAUTH.

  4. Click Finish. The IKE policy is displayed in VPN > IPsec > IKEv1 Policies.

  1. Create the named objects.

  1. Select Firewall > Access Policies > Addresses.

  2. Click Add an Address.

  3. Create a single-entry IP address object for the local gateway:

  1. For Name type localVPNgate.

  2. For Type, select IP.

  3. Select Single-entry and type 172.24.22.99.

  4. Click Apply.

  1. Create a single-entry network address object for VLAN44:

  1. For Name, type VLAN44.

  2. For Type, select Network.

  3. Select Single-entry and type 10.1.44.0/24.

  4. Click Apply.

  1. Create a single-entry network address object for the remote clients' public IP addresses:

  1. For Name, type L2TPclients.

  2. For Type, select Network.

  3. Select Single-entry and type 192.168.33.0/24.

  4. Click Apply.

  1. Create a single-entry network address object for the remote clients' local (virtual) IP addresses:

  1. For Name, type L2TPclientsVIR.

  2. For Type, select Network.

  3. Select Single-entry and type 5.5.5.0/24.

  4. Click Apply.

  5. Click Close.

  1. Create the IPsec proposal.

  1. Select VPN > IPsec > IPsec Proposals.

  2. Click Add IPsec Proposal.

  3. For Proposal Name, type TResp3Dmd5.

  4. For Encapsulation Mode, select Transport Mode.

  5. For Security Protocol, select ESP.

  6. For Encryption Algorithm, select 3DES.

  7. For Authentication Algorithm, select MD5.

  8. Click OK.

  1. Create the IPsec policy.

  1. Click the IPsec Policies tab.

  2. Click Add IPsec Policy.

  3. For Policy Name, type L2TPoverIPsec.

  4. For Action, select Apply.

  5. For Position, type 1.

  6. For Traffic Selector, configure these settings:

  1. For Protocol, select UDP.

  1. For Local Address, select localVPNgate.

  2. For Local Port, type 1701.

  1. For Remote Address, select L2TPclients.

  2. For Remote Port, type 1701 or leave it blank.

You cannot select (115) L2TP for the traffic selector in this case, because you need L2TP to operate at Layer 4 instead of Layer 3.

  1. For Proposal, select TResp3Dmd5.

  2. Click Next.

  3. For Key Exchange Method, accept the default: Auto (with IKEv1).

  4. For IKEv1 Policy, select remoteL2TP.

  5. Accept the remaining default values and click Next.

  6. Clear the Enable IP Address Pool for IRAS (Mode Config) check box and click Next.

  7. Accept the default settings in the Advanced Settings (Optional) section.

  8. Click Finish. The IPsec policy is displayed in the VPN > IPsec > IPsec Policies window.

  1. Create the L2TP remote access policy.

  1. Click the L2TP Remote Access tab.

  2. Click Add L2TP Policy.

  3. For Policy Name, type Windows.

  4. Select the Enable this policy check box.

  5. For IKE Policy, select remoteL2TP.

  6. Click Next.

  7. For Proposal, select TResp3Dmd5.

  8. Accept the remaining default values and click Finish.

  1. Create the dial-in user policies for the two clients.

  1. Click Add Dial-In User.

  2. For Dial-In User Name, type L2TPuser.

  3. For Server IP Address/Subnet Mask, type 5.5.5.5/24.

  4. For User IP Address, type 5.5.5.50.

  5. For Authentication, select No Authentication and click Next.

  6. For Policy Group Name, select L2TPuserGP.

  7. For Authentication Protocol, select Any.

  8. For User, type user101.

  9. For Password, type 1234$ and click Next.

  10. For Default Gateway, type 5.5.5.5.

  11. For Primary DNS Server, type 10.1.44.222.

  12. Click Finish.

  13. Click Add Dial-In User again.

  14. For Dial-In User Name, type L2TPuser.

  15. For Server IP Address/Subnet Mask, type 5.5.5.5/24.

  16. For User IP Address, type 5.5.5.51.

  17. For Authentication, select No Authentication and click Next.

  18. For Policy Group Name, select L2TPuserGP.

  19. For Authentication Protocol, select Any.

  20. For User, type user102.

  21. For Password, type 1234$ and click Next.

  22. For Default Gateway, type 5.5.5.5.

  23. For Primary DNS Server, type 10.1.44.222.

  24. Click Finish.

  1. Create the firewall access policies.

  1. Select Firewall > Access Policies > Unicast.

  2. Select the L2TPuserGP user group.

  3. Click Add a Policy.

  4. Permit IKE traffic from the remote clients to the TMS zl Module:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select SELF.

  4. For Service, select isakmp.

  5. For Source, select L2TPclients.

  6. For Destination, select localVPNgate.

  7. Select the Enable logging on this Policy check box.

  8. Click Apply.

  1. Permit L2TP traffic from the remote clients to the TMS zl Module:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select SELF.

  4. For Service, select l2tp-udp.

  5. For Source, select L2TPclients.

  6. For Destination, select localVPNgate.

  7. Click Apply.

  1. Permit L2TP traffic from the TMS zl Module to the remote clients:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select SELF.

  3. For To, select EXTERNAL.

  4. For Service, select l2tp-udp.

  5. For Source, select localVPNgate.

  6. For Destination, select L2TPclients.

  7. Click Apply.

  1. Permit IKE traffic from the TMS zl Module to the remote clients.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select SELF.

  3. For To, select EXTERNAL.

  4. For Service, select isakmp.

  5. For Source, select localVPNgate.

  6. For Destination, select L2TPclients.

  7. Click Apply.

  1. Permit traffic from the remote clients to VLAN44.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select INTERNAL.

  4. For Service, select Any Service.

  5. For Source, select L2TPclientsVIR.

  6. For Destination, select VLAN44.

  7. Click Apply.

  1. Permit traffic from VLAN44 to the remote clients.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select INTERNAL.

  3. For To, select EXTERNAL.

  4. For Service, select Any Service.

  5. For Source, select VLAN44.

  6. For Destination, select L2TPclientsVIR.

  7. Click Apply.

  1. Click Close.

  1. Create the static route.

  1. Select Network > Routing > Static Routes.

  2. Click Add Static Route.

  3. For Destination Type, select Default Gateway.

  4. For Gateway Address, type 172.24.22.1.

  5. For Metric, accept the default: 0.

  6. Click OK.

  1. Click Save.

  1. On the Windows XP client, click Start > Settings > Network Connections > New Connection. The New Connection Wizard is launched. Click Next.

  2. Select Connect to the network at my workplace and click Next.

  3. Select Virtual Private Network connection and click Next.

  4. For Company Name, type Main Campus and click Next.

  5. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection and click Next.

  6. For Host name or IP address, type 172.24.22.99 and click Next.

  7. Select whether only the current user can make this connection or all users on this workstation. Click Next.

  8. Select the Add a shortcut to this connection to my desktop check box and click Finish.

  9. The Connect Main Campus window should display.

  10. Client A only: For User Name type user101.

  11. Client B only: For User Name type user102.

  12. For Password, type 1234$.

  13. In the Connect Main Office, click Properties.

  14. Click the Networking tab.

  15. For Type of VPN, select L2TP IPSec VPN.

  16. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties.

  17. Ensure that no values are configured in the Internet Protocol (TCP/IP) Properties window so that the TMS zl Module can assign other values while the client is visiting the private network. Click OK to exit.

  18. Click the Security tab.

  19. Click IPSec Settings.

  20. Select the Use pre-shared key for authentication check box.

  21. For Key, type WindowsL2tpKEY.

  22. Click OK to close the Main Office Properties window and return to the Connect Main Office window. Click Connect.

  23. After a minute or so, you should see a message that informs you that the connection was successful.

<< Return to the Example 6 Start page