This article shows how to configure L2TP over IPSec in Standalone mode for USG FLEX / ATP / VPN Series and how to configure the Wizard, download the configuration, configuring L2TP manually using VPN gateway & connection menu, What to allow in the firewall rules, how to enable internet access for L2TP (no internet), restoring default configuration, setting up VPN users, establish a VPN from LAN, using external servers to authenticate users, troubleshoot using logs, configure MS-CHAPv2.

Table of Content

What is L2TP over IPSec VPN?

Before we begin with the configuration guide, let's give an introduction to the L2TP over IPSec VPN.

L2TP over IPSec combines the Layer 2 Tunneling Protocol (L2TP, which provide a point-to-point connection) with the IPSec protocol. L2TP alone does not provide any encryption of content, and hence the tunnel it's commonly built over a Layer 3 encryption protocol IPsec, having as result the so-called L2TP over IPSec VPN.

In this handbook you can explore all the information needed for L2TP VPN connections in the Zyxel Firewall devices, exploring the configuration methods (via the wizard and manually), the client setup for Windows, MAC and Linux; as well as more advanced setups for authentication, different topologies and troubleshooting on the Firewall devices and the client devices. Virtual lab access is also defined where it's possible to review our setup which can also be used when setting up the remote VPN in your device.

1. Configure L2TP VPN using built-in Wizard

1.1 Navigate to the Wizard

a. Open the Quick Setup Tab and in the pop-up window, select Remote Access VPN Setup:

1.2 Select the L2TP over IPSec Client Scenario

1.3 Configure VPN Configuration

Enter a preferred Pre-Shared Key and select the corresponding WAN interface.

Here you might also decide if the traffic from the Client device to the Internet is allowed (firewall rules and routes) to pass by the Firewall device in case the Client device does not have a split tunnelling set.

Define the address pool for the L2TP users when connected to the VPN. You can also choose the predefined 192.168.51.1-250 range here.

Note: It should not overlap with any existing network on your device.

For DNS choose either ZyWALL or enter a server manually.

1.4 Configure User Authentication

Select an existing user object to add it to the L2TP member list or create a new user via the "Add New User" button.

1.5 Save the Configuration & Download L2TP Configuration

After clicking on save the L2TP tunnel is ready to use.

g. Make sure the firewall rules allow access for ports UDP 4500 and 500 from WAN to Zywall, and that the default Zone IPSec_VPN has access to the network resources. This can be verified in:

Configuration  > Security Policy > Policy Control

2) Setting up the L2TP/IPSec VPN manually

The following describes the steps needed to manually configure an L2TP over IPSec VPN. The topology and application are the same as when using the Wizard, the only difference are the steps in the configuration.

2.1 Configure VPN Gateway

Go to the following path and create a new VPN Gateway:

Configuration > VPN > IPSEC VPN > VPN Gateway

Please press on "Show Advanced Settings". Enter a name for the gateway, choose your WAN interface and add a pre-shared key:

Set the Negotiation Mode to Main and add the following (common) proposals and confirm by clicking OK:

2.2 Configure VPN Connection

Go to the following path and create a new VPN Connection:

 Configuration > VPN > IPSec VPN > VPN Connection

Please press on "Show Advanced Settings". Enter a name of the connection, set the Application Scenario to Remote Access (Server Role) and select the VPN Gateway you created before:

For the Local Policy, create a new IPv4 Address Object (from the "Create New Object" button) for your real WAN IP and then set it to the VPN Connection as Local Policy:

Set the Encapsulation to Transport and add the following proposals and confirm by clicking OK:

2.3 Configure L2TP VPN Settings

Now that the IPSec settings are done, the L2TP settings need to be set up. Go to the following path:

Configuration -> VPN -> L2TP VPN Settings

If needed, create a new local user(s) that will be allowed to connect to the VPN:

Create an L2TP IP address pool with a range of IP addresses that should be used by the clients while connected to the L2TP/IPSec VPN.

Note: This should not conflict with any WAN, LAN, DMZ or WLAN Subnets, even when they are not in use.

2.4 Summarize the L2TP Settings

Now let's set the L2TP settings:

Set the VPN Connection created in 2.2 Configure VPN Connection
An IP Address Pool you can set the L2TP IP range object
The Authentication Method can be set as default for local user authentication
The Allowed users can be set for the user. If multiple users are needed, a group of users can be created on the Object page.
The DNS server(s)and WINS server can be selected to be the Firewall device itself (Zywall) or a customized server IP address.
In case of internet access is needed through the Firewall device while connected to the L2TP/IPSec VPN, make sure the option "Allow Traffic Through WAN Zone" is enabled.
Click on "Apply" to save the settings. With this, the L2TP/IPSec VPN as such is now ready.

3) Must-Have Configurations

3.1 Allow UDP ports 4500 & 500

Make sure the firewall rules allow access for ports UDP 4500 and 500 from WAN to Zywall, and that the default Zone IPSec_VPN has access to the network resources. This can be verified in:

Configuration  > Security Policy > Policy Control

3.2 Enable Internet Access over L2TP via Policy Routes

If some of the traffic from the L2TP clients need to go to the internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk.

Go to the following path and add a new Policy Route:

Configuration > Network > Routing > Policy Route

Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool. Set the Next-Hop Type to Trunk and select the appropriate WAN trunk.

For more details on this step, please check the article:

How to let L2TP clients surf via USG

4. Tips & Troubleshooting

4.1 Restoring L2TP VPN default configuration

In some cases, it might be needed to give a fresh start to your L2TP VPN settings in the page:

Configuration > VPN > L2TP VPN

When needed, use the following article the describes the methods to bring the default settings back.

ZyWALL USG: Restore VPN-L2TP Default Configuration

4.2 Setting up the L2TP VPN Clients

L2TP over IPSec is very popular and commonly supported by many end devices platforms with their own built-in clients.

Here are some of the most common ones and how to set them up:

4.3 Advanced setup: Establishing an L2TP VPN from the LAN:

The VPN is a popular function for encrypting packets when transmitting data.

In ZyWALL/USG/ATP’s current design, when the VPN interface is based on WAN1 interface, VPN request must come from WAN1 interface (interface restricted), otherwise, the request will be denied. (e.g. VPN connection came from LAN1)

However, in some scenarios, users may need to establish the VPN tunnel from not only the WAN but also LAN.

This scenario is also supported by ZyWALL/USG/ATP. Users can follow the operating procedure below to turn off the VPN interface restriction so that the VPN connection can come from both the WAN/LAN afterwards.

Topology:

USG Firmware Version:

4.32 or above

USG configuration:

To enable L2TP from LAN, you need to access your device with a terminal connection (Serial, Telnet, SSH) and enter the following commands:

Router> configure terminal
Router(config)# vpn-interface-restriction deactivate
Router(config)# write
Reboot device.

4.4 Advanced setup: Using external servers to authenticate users connecting to L2TP VPN

This section describes how to configure L2TP over IPSec with MS-CHAPv2 on USG/Zywall series. For advanced implementations, the user authentication with Active Directory (AD) servers can be implemented on the L2TP/IPSec VPN authentication.

Scenario:

AD Domain: USG.com (10.214.30.72)

USG110: 10.214.30.103

1. Navigate to Configuration>Object>AAA Server. Enable Domain Authentication for MSCHAP

The credential is usually as same as AD administrator.

2. Go toSystem>Host Name,type the AD domainin Domain Name

This flow is make USG join to the AD domain. The tunnel will be only established successfully only when this part works.

3. Confirm if USG has joined the domain. Navigate to Active Directory Users and Computers>Computers

In this case, you can find the usg110 has join to domain. Also can check the detailed information in the tab Properties>Object by right click.

4. Edit Domain Zone, Put domain name in System> DNS >Domain Zone Forwarder.

Sometimes it may times out during dial-up the tunnel, so you need to configure the following setting, Query interface is where your AD server is located.

5. Check the connection settings on your Windows.

Make sure you have enabled (MS-CHAP v2) and entered pre-shared key in Advanced settings.

6. Check the login information at Monitor page>, The AD user should be on the Current User List once the tunnel is dialed-up successfully.

You can find the user type is L2TP and the user info is external user.

As further information, the following article details which are the supported authentication that are supported by our Firewalls with L2TP/IPSec VPN:

ZyWALL USG - Supported authentication over L2TP

4.5 L2TP Over IPSec VPN - Virtual Lab

Feel free to take a look at our Virtual lab for L2TP VPN setup on our Firewall devices. With this virtual lab you can take a look at the correct configuration for comparison while setting up your environment:

Virtual Lab - End-to-Site VPN (L2TP)

4.6 Troubleshooting

The following provides information on how to troubleshoot common issues that we have identified while setting up the L2TP over IPSec VPN.

If you see [alert] log messages such as below, please check Firewall L2TP Allowed User or User/Group Settings. Client device settings must use the same Username and Password as configured in the Firewall to establish the L2TP VPN
If you see [info] or [error] log message such as below, please check Firewall's Phase 1 Settings. Client device settings must use the same Pre-Shared Key as configured in Firewall's to establish the IKE SA.
If you see that the Phase 1 IKE SA process has been completed but still get [info] log message as below, please check Firewall's Phase 2 Settings. The firewall unit must set the correct Local Policy to establish the IKE SA.
Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.
Make sure the Firewall units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
Other common configuration issues are detailed here:

Get in contact with our Support team if you are experiencing another type of issue not covered here.

VPN - Configure L2TP over IPSec VPN using PSK [Stand-alone mode]

Table of Content