Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data.
L2TP protocol is based on the client and server model. The security appliance can terminate the L2TP-over-IPsec connections from incoming Microsoft Windows clients.
2. Click On to enable L2TP server, or click Off to disable it.
3. If you enable L2TP server, enter the following information:
• Listen WAN Interface: Choose the WAN interface on which the L2TP server listens to accept the incoming L2TP VPN connection.
• User Name: Enter the username that all L2TP clients use to access the L2TP server.
• Password: Enter the password that all L2TP clients use to access the L2TP server.
NOTE: All L2TP clients use the same username and password to log into the L2TP server.
• MTU: Enter the MTU size in bytes that can be sent over the network. The valid range is 128 to 1400 bytes. The default value is 1400 bytes.
• Authentication Method: Choose either CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol), or both to authenticate the L2TP clients. Click On to enable CHAP or PAP, or click Off to disable it.
• Address Pool: The L2TP server assigns IP addresses to all L2TP clients. Enter the starting IP address in the Start IP Address field and the ending IP address in the End IP Address field.
• DNS1 IP Address: Enter the IP address of the primary DNS server.
• DNS2 IP Address: Optionally, enter the IP address of the secondary DNS server.
• IPsec: Click On to enable the data encryption over the IPsec VPN tunnel, or click Off to disable it.
• Pre-shared Key: The data encryption over the VPN tunnel uses a pre-shared key for authentication. If you enable IPsec, enter the desired value, which the L2TP client must provide to establish a connection. The pre-shared key must be entered exactly the same here and on the L2TP clients.
4. Click Save to apply your settings.
5. By default, the firewall denies access from VPN zone to LAN and voice zones. If you want to allow L2TP clients to access your default VLAN, you must go to the Firewall > Access Control > ACL Rules page to manually create a firewall rule as follows:
NOTE: Choose Create a new address from the drop-down list to create an address object “l2tp_clients” with the IP address range of L2TP server’s address pool. |
|