Edit the Mobile VPN with L2TP Configuration

We recommend that you use the WatchGuard L2TP Setup Wizard to set up Mobile VPN with L2TP for the first time. For more information, see Use the WatchGuard L2TP Setup Wizard.

You cannot enable IPSec in the Mobile VPN with L2TP configuration if the device configuration already includes a branch office VPN gateway that uses main mode, and a remote gateway with a dynamic IP address. When you activate Mobile VPN with L2TP, the IPSec settings in the L2TP configuration are enabled by default. If IPSec cannot be enabled because of an existing branch office VPN configuration, a warning message appears when you activate Mobile VPN with L2TP. You can choose to enable L2TP without IPSec, but it is less secure and not recommended.

Edit the Virtual IP Address Pool

On the Network tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with L2TP users over the tunnel. The Firebox uses these addresses only when they are needed. The virtual IP address pool must contain at least two IP addresses.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

To add to the virtual IP address pool:

In the Virtual IP Address Pool section, click Add.
The Add Address Pool dialog box appears.
From the Choose Type drop-down list, select one of these options:
- Host IPv4 — to add a single IPv4 address
- Network IPv4 — to add an IPv4 network address
- Host Range IPv4 — to add a range of IPv4 addresses
Type the host IP address, network IP address, or IP address range to add.
Click OK.

To remove an IP address or address range from the virtual IP address pool:

Select the IP address entry you want to remove.
Click Remove.

Edit Network Settings

On the Network tab, in the Mobile VPN with L2TP Configuration dialog box, there are several network settings you can configure. The default values are best for most L2TP configurations. We recommend that you do not change these values unless you are sure the change corrects a known problem.

The settings you can configure are:

Keep Alive Timeout

This specifies how often the Firebox sends the L2TP "Hello" message. The default value is 60 seconds.

Retransmission Timeout

This specifies how long the Firebox waits for a message acknowledgement. A message will be retransmitted if the Firebox does not receive an acknowledgement in this time frame. The default value is 5 seconds.

Maximum Retries

This specifies the maximum number of times the Firebox will retransmit a message. If the maximum retries is exceeded, the Firebox closes the connection. The default value is 5.

Maximum Transmission Unit (MTU)

This specifies the maximum packet size to receive in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Maximum Receive Unit (MRU)

This specifies the maximum packet size to send in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Edit Authentication Settings

On the Authentication tab you can configure authentication servers and the authorized users and groups.

Configure Authentication Servers

The labels for the authentication server settings are slightly different in Fireware Web UI than in Policy Manager.

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .

Configure Users and Groups

If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

To configure the users and groups to authenticate with Mobile VPN with L2TP, from Fireware Web UI:

In the Authentication Users and Groups section, click Add.
The Add Authentication User or Group text box appears.
Set the Type to Group or User.
In the Name text box, type the name of the group or user.
From the Authentication Server drop-down list, select the authentication server where the user or group exists. Or, select All if the group can be used with all selected authentication servers.
Click OK.

To configure the users and groups to authenticate with Mobile VPN with L2TP:

In the Authorized Users and Groups section, set the Type to Group or User.
In the Name text box, type the name of the group or user.
From the Authentication Server drop-down list, select the authentication server where the user or group exists. Or, select All if the group can be used with all selected authentication servers.
Click Add.

For more information about user authentication methods for L2TP, see About L2TP User Authentication

When you add a user or group and select Firebox-DB as the authentication server, this does not automatically add the user or group to Firebox-DB. Make sure any users or groups you add that use Firebox-DB authentication are also configured in the Firebox authentication settings. For more information, see Configure Your Firebox as an Authentication Server.

Edit L2TP IPSec Settings

Mobile VPN with L2TP can operate with or without IPSec enabled. L2TP with IPSec provides strong encryption and authentication. L2TP without IPSec does not provide strong encryption and authentication. We recommend that you do not disable IPSec in the Mobile VPN with L2TP configuration.

When you enable Mobile VPN with L2TP, IPSec is enabled by default. The only IPSec setting you must configure is the credential method for authentication. The other IPSec Phase 1 settings are set to default values. The default Phase 1 and Phase 2 IPSec settings for Mobile VPN with L2TP are similar to the default Phase 1 and Phase 2 settings in a branch office VPN. You can change them to match the IPSec settings of the L2TP clients you use. The IPSec settings on the L2TP clients must match the settings in the Mobile VPN with L2TP configuration.

Enable or Disable IPSec

Select the IPSec tab.
To disable IPSec for L2TP, clear the Enable IPSec check box.
To enable IPSec for L2TP, select the Enable IPSec check box.

Configure IPSec Phase 1 Settings

When IPSec is enabled, you must configure the tunnel authentication method in the IPSec Phase 1 settings. You configure the tunnel authentication method in the WatchGuard L2TP Setup Wizard, or you can do it on the IPSec tab.

For more information about advanced Phase 1 settings, see Configure L2TP IPSec Phase 1 Advanced Settings.

Configure IPSec Phase 2 Settings

IPSec Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints. Parameters in the SA can include:

Encryption and authentication algorithms used.
Lifetime of the SA (in seconds or number of bytes, or both).
The IP address of the device for which the SA is established (the device that handles IPSec encryption and decryption on the other side of the VPN, not the computer behind it that sends or receives traffic).
Source and destination IP addresses of traffic to which the SA applies.
Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming and outgoing).

If users cannot connect to the VPN or to network resources, check for these common causes:

Incorrect DNS settings
Disabled or deleted policies
Incorrect user group settings
IP address pool overlap
Incorrect route settings