Contents

Internet Access Through a Mobile VPN with L2TP Tunnel

For Mobile VPN with L2TP, we support default-route VPN only. Split tunnel VPN is not supported.

Default-route VPN is the most secure option because it requires all remote user Internet traffic to be routed through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth.

Default-Route VPN Setup for Mobile VPN with L2TP 

In Windows and macOS, and on mobile operating systems, the default setting for an L2TP connection is default-route. You cannot disable this setting on mobile operating systems.

Your Firebox must be configured with dynamic NAT to receive the traffic from an L2TP user. Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the L2TP user traffic.

When you configure your default-route VPN:

  • Make sure that the IP addresses you have added to the L2TP address pool are included in your dynamic NAT configuration on the Firebox. This allows remote users to browse the Internet when they send all traffic to the Firebox.
    From Policy Manager, select Network > NAT.
  • Edit your policy configuration to allow connections from the L2TP-Users group through the external interface.
    For example, if you use WebBlocker to control web access, add the L2TP-Users group to the proxy policy that is configured with WebBlocker enabled.

Enable Default-Route (Full Tunnel) in Windows

See Also

Add Network Dynamic NAT Rules

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search