Managing L2TP VPN

Purpose: Configure Layer 2 Tunneling Protocol Virtual Private Network (L2TP VPN) with IPsec to use as a VPN from remote Windows clients.

Note:

To configure L2TP VPNs, the Cloud Edge gateway appliance must be in routing mode.

Location: Gateways > (gateway name) > USER VPN > L2TP VPN > General

  1. Optionally enable L2TP VPN.
  2. Select one of the following in the drop-down menu for Assign IP address using:
    • IP address pool and then enter the IPv4 address range for the pool in Client network pool.

    • DHCP server and then enter the DHCP server in DHCP server and the interface in Via interface.

    Important:

    Whether you use an IP address pool or a DHCP server to assign IP addresses, the assigned IP addresses must be part of an independent network segment (the network segment is different from network segments used on any other interface).

  3. Enter a key known to both endpoints in Preshared key.

    The key is used to authenticate the L2TP endpoints while establishing the connection.

    Before establishing the connection, the remote user must provide authentication credentials using a Cloud Edge hosted user.

  4. Configure advanced settings.
    • Primary DNS server and Secondary DNS server

      If both the Primary DNS server and Secondary DNS server are left blank, the gateway’s default DNS servers are used as L2TP DNS servers.

    • Primary WINS server and Secondary WINS server

    • MTU

      Supported values are 500 through 1400. This is a required field. The MTU field cannot be left blank.

    • Enable L2TP debug mode

    • Enable dead peer detection

      Dead peer detection identifies inactive or unavailable VPN peers and can help restore resources that are lost when a peer is unavailable. Selecting Enable dead peer detection reestablishes VPN tunnels on idle connections and cleans up dead VPN peers if required.

      Use this option to keep the tunnel connection open when no traffic is being generated inside the tunnel.

    • Enable network masquerade

    • IKE Authentication algorithm

      • MD5

      • SHA1

      • SHA-256

      • SHA-512

      SHA1 is the default.

      See Authentication Algorithms.

    • IPsec authentication algorithm

      • MD5

      • SHA1

      • SHA-256

      • SHA-512

      SHA1 is the default.

    • IKE Debugging

      Enable or disable IKE debugging.

  5. Click Save.

If you do not want all traffic to route through the VPN tunnel, you can configure split tunneling on the Windows client.

  • You must first configure L2TP on the client and connect the L2TP VPN.

  • Disconnect the L2TP connection and right-click on the L2TP new connection and select Properties.

  • You can then select Internet Protocol Version 4 (TCP/IPv4) and click on Properties and then on Advanced.

  • You can deselect Use default gateway on remote network to enable split tunneling. Only traffic destined for the gateway's internal network will route through the L2TP gateway.