Create a VPN with L2TP over IPsec

To configure an L2TP Layer 2 Tunneling Protocol over IPsec VPN on the Threat Management Services (TMS) zl Module, you must follow the steps that are shown in the figure below. Click on a step to see how to configure the parameters for that step.

  1. Create an L2TP user group.

    Create a user group for L2TP client-to-site users, but do not add users to the group.

  2. Create an IKE policy.

    In the IKEv1 policy, you specify the following parameters:

    • Client-to-Site

    • Local Gateway

    • Local and Remote Identities

    • Main or Aggressive Key Exchange Mode

    • Manual Key or Signature Authentication Method

    • Security Parameters Proposal

    • Diffie-Hellman Group

    • Encryption Algorithm

    • Authentication Algorithm

    • IKE SA Lifetime

    • XAUTH (not for Windows clients)

     

  3. If you are using digital certificates, install the certificates.

    You must install

    • A root certificate for the CA that authenticates the local gateway

    • A root certificate for the CA that authenticates the remote endpoint

    • A self certificate

     

  4. Create named objects.

    It is best practice to create named objects for the firewall and VPN configuration, such as:

    • IP address objects for the gateways or clients

    • IP range address objects for remote clients or dial-in user addresses

    • Network address objects for VLANs or networks

    • Domain name address objects for the gateways

    • Service objects for the VPN protocols

     

  5. Create an IPsec proposal.

    For the IPsec proposal, you configure the following parameters:

    • Tunnel or  Transport Encapsulation Mode (you cannot use tunnel mode for Microsoft VPN clients)

    • ESP or AH (you must use ESP for Microsoft VPN clients)

    • Encryption Algorithm for ESP

    • Authentication Algorithm

     

  6. Create an IPsec policy.

    For the IPsec policy, you must configure the following parameters:

    • Apply Action

    • Policy Priority

    • Traffic Selector

    • Protocol = UDP

    • Local Address = Local gateway

    • Local Port = Any (leave field blank)

    • Remote Address = Actual L2TP client addresses

    • Remote Port = 1701

    • Auto or Manual Key Exchange Method

    • SA Lifetime in Seconds and/or KB

    • Optional Settings

    • IP Compression

    • Anti-Replay Window Size

    • Extended Sequence Number

    • Re-Key on Sequence Number Overflow

    • Persistent Tunnel

    • Fragment Before IPsec

    • Copy DSCP Value from Clear Packet

    • DF Bit Handling

     

  7. Create an L2TP policy.

    In the L2TP policy, you specify the following parameters:

    • IKE policy that you selected for the IPsec policy

    • IPsec proposal that you selected for the IPsec policy

    • SA Lifetime in seconds

    • SA Lifetime in kilobytes

    • (Optional) PFS and DF group

    • (Optional) IP compression

     

  8. Create a dial-in policy.

    You must configure one dial-in policy for each user and specify the following parameters:

    • Dial-in user name (unique)

    • LNS IP address and mask (on unused, non-TMS VLAN subnet)

    • User IP address (unique: on same subnet as LNS)

    • Authentication (optional: you must edit the Windows Registry to configure the client key)

    • None

    • Authentication Peer

    • Authentication with Peer

    • Both

    • Policy group name — Select the group name you configured in Step 1.

    • Authentication Protocol

    • Any

    • PAP

    • CHAP

    • MS-CHAP

    • None

    • Username (unique login name for use on the client)

    • Password (to the username above)

    • Default Gateway (same as LNS address)

    • DNS and (optionally) WINS servers that the client uses for address resolution while visiting the private network
       

  9. Create firewall access policies for the VPN traffic.

    To permit L2TP VPN traffic, you must configure the firewall to:

    • User Group = None

    • permit IKE messages between the remote clients and the local gateway

    • permit L2TP messages between the remote clients and the local gateway

    • permit ipsec-nat-t-udp traffic if a NAT device may be in the path

    • User Group = [group configured in Step 1]

    • permit VPN-tunneled traffic between the local endpoints and the remote endpoints

     

  10. Create static routes.

    For the static routes, you must ensure that the module knows a route to the actual L2TP client IP addresses.

    Usually the default gateway is enough, but in some cases you will need to configure a static route to the L2TP clients.

 

Microsoft Windows VPN clients require special consideration and configuration. Click here for more information.