To configure an L2TP Layer 2 Tunneling Protocol over IPsec VPN on the Threat Management Services (TMS) zl Module, you must follow the steps that are shown in the figure below. Click on a step to see how to configure the parameters for that step.
Create an L2TP user group.
Create a user group for L2TP client-to-site users, but do not add users to the group.
Create an IKE policy.
In the IKEv1 policy, you specify the following parameters:
Client-to-Site
Local Gateway
Local and Remote Identities
Main or Aggressive Key Exchange Mode
Manual Key or Signature Authentication Method
Security Parameters Proposal
Diffie-Hellman Group
Encryption Algorithm
Authentication Algorithm
IKE SA Lifetime
XAUTH (not for Windows clients)
If you are using digital certificates, install the certificates.
You must install
A root certificate for the CA that authenticates the local gateway
A root certificate for the CA that authenticates the remote endpoint
A self certificate
Create named objects.
It is best practice to create named objects for the firewall and VPN configuration, such as:
IP address objects for the gateways or clients
IP range address objects for remote clients or dial-in user addresses
Network address objects for VLANs or networks
Domain name address objects for the gateways
Service objects for the VPN protocols
Create an IPsec proposal.
For the IPsec proposal, you configure the following parameters:
Tunnel or Transport Encapsulation Mode (you cannot use tunnel mode for Microsoft VPN clients)
ESP or AH (you must use ESP for Microsoft VPN clients)
Encryption Algorithm for ESP
Create an IPsec policy.
For the IPsec policy, you must configure the following parameters:
Apply Action
Policy Priority
Traffic Selector
Protocol = UDP
Local Address = Local gateway
Local Port = Any (leave field blank)
Remote Address = Actual L2TP client addresses
Remote Port = 1701
Auto or Manual Key Exchange Method
SA Lifetime in Seconds and/or KB
Optional Settings
IP Compression
Anti-Replay Window Size
Extended Sequence Number
Re-Key on Sequence Number Overflow
Persistent Tunnel
Fragment Before IPsec
Copy DSCP Value from Clear Packet
DF Bit Handling
Create an L2TP policy.
In the L2TP policy, you specify the following parameters:
IKE policy that you selected for the IPsec policy
IPsec proposal that you selected for the IPsec policy
SA Lifetime in seconds
SA Lifetime in kilobytes
(Optional) PFS and DF group
(Optional) IP compression
Create a dial-in policy.
You must configure one dial-in policy for each user and specify the following parameters:
Dial-in user name (unique)
LNS IP address and mask (on unused, non-TMS VLAN subnet)
User IP address (unique: on same subnet as LNS)
Authentication (optional: you must edit the Windows Registry to configure the client key)
None
Authentication Peer
Authentication with Peer
Both
Policy group name — Select the group name you configured in Step 1.
Authentication Protocol
Any
PAP
CHAP
MS-CHAP
Username (unique login name for use on the client)
Password (to the username above)
Default Gateway (same as LNS address)
DNS and (optionally) WINS servers that the client uses for address resolution while visiting the private network
Create firewall access policies for the VPN traffic.
To permit L2TP VPN traffic, you must configure the firewall to:
User Group = None
permit IKE messages between the remote clients and the local gateway
permit L2TP messages between the remote clients and the local gateway
permit ipsec-nat-t-udp traffic if a NAT device may be in the path
User Group = [group configured in Step 1]
permit VPN-tunneled traffic between the local endpoints and the remote endpoints
Create static routes.
For the static routes, you must ensure that the module knows a route to the actual L2TP client IP addresses.
Usually the default gateway is enough, but in some cases you will need to configure a static route to the L2TP clients.
Microsoft Windows VPN clients require special consideration and configuration. Click here for more information.