How to configure L2TP behind NAT

Sometimes it might be necessary to put your USG behind a NAT router, but you still want to build a VPN tunnel to the USG. This tutorial shows how to configure this feature in no-time!

Walkthrough Steps

1. Click on Quick setup > VPN Setup > VPN Settings for L2TP and click "Next"
2. Enter a preshared key and click "Next"
3. Enter a IP-adress pool for clients connecting with L2TP ,click "Next" and click "Close"
4. Go to Object > User > Add. Here you can enter username and password
5. Go to Object > Group > Add. Create a group for L2TP and add all your L2TP users
6. Go to VPN > L2TP VPN. Enable L2TP over IPSec. Also select the correct user group you created above, on the allowed user option
7. Go to VPN > IPSec VPN > VPN connection > click edit on the newly created connection
8. In the left corner of the opened tab, click on Create New object > IPv4 adress
9. Create an Host object with your networks true WAN-IP address (not the WAN IP of the USG only, but of the NAT router in front of it!)
10. Select the just created object on local policy
11. Go to Network > NAT > Add
12. Select 1:1 NAT, enter the (public)WAN-IP on the user defined Original IP
13. Enter the (private) Device WAN-IP on the user defined Mapped IP
14. Go to Object > Service > Service Group and click Add
15. Create a group and select the IKE/L2TP-UDP/NATT Service
16. Go to Security Policy > and click Add
17. In the left corner of the opened tab, click on create new object > Adress
18. Create an Host object with your Local Device IP-address
19. Select on Destination the just created object. (local device IP-address)
20. Select on service-group the above created service-group (IKE/L2TP-UDP/NATT) and click ok
    
    
    

KB-00035