In this handbook you can explore all the information needed for L2TP VPN connections in the Zyxel Firewall devices, exploring the configuration methods (via the wizard and manually), the client setup for Windows, MAC and Linux; as well as more advanced setups for authentication, different topologies and troubleshooting on the Firewall devices and the client devices. Virtual lab access is also defined where it's possible to review our setup which can also be used when setting up the remote VPN in your device.
What is L2TP over IPSec VPN?
Before we begin with the configuration guide, let's give an introduction to the L2TP over IPSec VPN.
L2TP over IPSec combines the Layer 2 Tunneling Protocol (L2TP, which provide a point-to-point connection) with the IPSec protocol. L2TP alone does not provide any encryption of content, and hence the tunnel it's commonly built over a Layer 3 encryption protocol IPsec, having as result the so-called L2TP over IPSec VPN.
1. Using the Firewall device built-in Wizard to set up the L2TP/IPsec VPN
a. Open the Quick Setup Tab and in the pop-up window, select Remote Access VPN Setup:
b. Select the L2TP over IPSec Client Scenario
Configuration > Security Policy > Policy Control
2. Setting up the L2TP/IPSec VPN manually
The following describes the steps needed to manually configure an L2TP over IPSec VPN. The topology and application are the same as when using the Wizard, the only difference are the steps in the configuration.
a. Go to the following path and create a new VPN Gateway:
Configuration > VPN > IPSEC VPN > VPN Gateway
Please press on "Show Advanced Settings". Enter a name for the gateway, choose your WAN interface and add a pre-shared key:
b. Set the Negotiation Mode to Main and add the following (common) proposals and confirm by clicking OK:
c. Go to the following path and create a new VPN Connection:
Configuration > VPN > IPSec VPN > VPN Connection
Please press on "Show Advanced Settings". Enter a name of the connection, set the Application Scenario to Remote Access (Server Role) and select the VPN Gateway you created before:
d. For the Local Policy, create a new IPv4 Address Object (from the "Create New Object" button) for your real WAN IP and then set it to the VPN Connection as Local Policy:
e. Set the Encapsulation to Transport and add the following proposals and confirm by clicking OK:
f. Now that the IPSec settings are done, the L2TP settings need to be set up. Go to the following path:
Configuration -> VPN -> L2TP VPN Settings
g. If needed, create a new local user(s) that will be allowed to connect to the VPN:
h. Create an L2TP IP address pool with a range of IP addresses that should be used by the clients while connected to the L2TP/IPSec VPN.
Note: This should not conflict with any WAN, LAN, DMZ or WLAN Subnets, even when they are not in use.
i. Now let's set the L2TP settings:
- Set the VPN Connection created in step c
- An IP Address Pool you can set the L2TP IP range object created in step h
- The Authentication Method can be set as default for local user authentication
- The Allowed users can be set for the user created in step g. If multiple users are needed, a group of users can be created on the Object page.
- The DNS server(s)and WINS server can be selected to be the Firewall device itself (Zywall) or a customized server IP address.
- In case of internet access is needed through the Firewall device while connected to the L2TP/IPSec VPN, make sure the option "Allow Traffic Through WAN Zone" is enabled.
- Click on "Apply" to save the settings. With this, the L2TP/IPSec VPN as such is now ready.
j. Make sure the firewall rules allow access for ports UDP 4500 and 500 from WAN to Zywall, and that the default Zone IPSec_VPN has access to the network resources. This can be verified in:
Configuration > Security Policy > Policy Control
k. Enable Internet Access over L2TP: If some of the traffic from the L2TP clients need to go to the internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk.
Configuration > Network > Routing > Policy Route
Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool. Set the Next-Hop Type to Trunk and select the appropriate WAN trunk.
For more details on this step, please check the article:
3. Restoring L2TP VPN default configuration
In some cases, it might be needed to give a fresh start to your L2TP VPN settings in the page:
Configuration > VPN > L2TP VPN
When needed, use the following article the describes the methods to bring the default settings back.
4. Setting up the L2TP VPN Clients
L2TP over IPSec is very popular and commonly supported by many end devices platforms with their own built-in clients.
Here are some of the most common ones and how to set them up:
- MAC OS:
5. Advanced setup: Establishing an L2TP VPN from the LAN:
The following article includes the steps to connect to the L2TP from the LAN of the Firewall device whenever needed as the client device might be at some point connected to the office network.
6. Advanced setup: Using external servers to authenticate users connecting to L2TP VPN
For advanced implementations, the user authentication with Active Directory (AD) servers can be implemented on the L2TP/IPSec VPN authentication. Please check the following article that describes the steps:
As further information, the following article details which are the supported authentication that are supported by our Firewalls with L2TP/IPSec VPN:
7. L2TP Over IPSec VPN - Virtual Lab
Feel free to take a look at our Virtual lab for L2TP VPN setup on our Firewall devices. With this virtual lab you can take a look at the correct configuration for comparison while setting up your environment:
The following provides information on how to troubleshoot common issues that we have identified while setting up the L2TP over IPSec VPN.
- If you see [alert] log messages such as below, please check Firewall L2TP Allowed User or User/Group Settings. Client device settings must use the same Username and Password as configured in the Firewall to establish the L2TP VPN
- If you see [info] or [error] log message such as below, please check Firewall's Phase 1 Settings. Client device settings must use the same Pre-Shared Key as configured in Firewall's to establish the IKE SA.
- If you see that the Phase 1 IKE SA process has been completed but still get [info] log message as below, please check Firewall's Phase 2 Settings. The firewall unit must set the correct Local Policy to establish the IKE SA.
- Ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
- If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.
- Make sure the Firewall units’ security policies allow IPSec VPN traffic. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50.
- Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
- Other common configuration issues are detailed here:
Get in contact with our Support team if you are experiencing another type of issue not covered here.