Nebula VPN - Configure L2TP on a Nebula Firewall using Android, iOS, Windows & Linux Ubuntu

This article will show you how to create a L2TP tunnel to your Nebula firewall / gateway (USG FLEX, ATP), via your mobile phone, or PC/computer. How to configure the VPN users, NCC and your clients (Windows, MacOS, Linux Ubuntu, iPhone iOS and how to test the results.

Table of Content

1) Configure L2TP on Nebula Cloud Center

1.1 Enable and Configure Remote VPN

1.2 Configure Cloud Authentication Users

2) Configure L2TP on Windows 10

3) Configure L2TP on MacOS

4) Configure L2TP on Linux Ubuntu

5) Configure L2TP on iPhone iOS

6) Test the Result

6.1 On Windows 10

6.2 On MAC OS

6.3 On Linux Ubuntu

6.4 On iPhone

6.5 On Android

Figure 1 L2TP over IPSec VPN

In Figure1, there are multiple clients that want to access the server that is behind Firewall. To do that, the clients establish the L2TP over IPSec VPN tunnel to Firewall.

Figure 1 L2TP over IPSec VPN

All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested Nebula gateway, switch, APs with the last firmware version on Nebula Center Control (NCC).

1) Configure L2TP on Nebula Cloud Center

1.1 Enable and Configure Remote VPN

Go to

"Firewall > Configure > Remote access VPN"

and configure the parameters.

Client VPN server: L2TP over IPSec client

Client VPN subnet: 192.168.100.0/24

DNS name servers: Use "Specify nameserver..." and select Google DNS and/or the LAN gateway address of the primary LAN subnet of the firewall

WINS: No WINS servers

Secret: <Pre-shared key>

Authentication: Nebula Cloud Authentication

Then click save.

1.2 Configure Cloud Authentication Users

Go to

Organization-wide > Configure > Cloud authentication

select Account type “VPN User” and create(add) user.

Add the email address, username, select a password and allow the user to login to the VPN via "VPN Access". Don't forget to authorize the user to the organization or the site and I prefer to be able to login via the username or the email.
Note: If you only want this account to access a specific site via L2TP, you may select Specified sites in the Authorized section.

Click Save and make sure firewall's configuration status is up to date.

2) Configure L2TP on Windows 10

Create a VPN profile.

"Settings > Network & Internet > VPN > Add a VPN connection"

Configure the required information and click Save.

3) Configure L2TP on MacOS

Create a VPN profile.
```
"System Preferences > Network"
```
Configure required information including firewall’s public IP and account name. Click Authentication Settings to set up passwords and a shared secret(Pre-shared key)
Click Advanced and check “Send all traffic over VPN connection”

If you're having problems with the routing of the VPN traffic, you can also set the IP, subnet mask and gateway to static under "TCP/IP:

4) Configure L2TP on Linux Ubuntu

Create a VPN connection.

"Settings > Network > VPN" and choose L2TP

Configure required information including firewall’s public IP, account name and password.
Configure the Pre-shared key.

Also, “3des-sha1-modp1024” for Phase 1 and “3des-sha1” for Phase 2