Use the WatchGuard L2TP Setup Wizard

The WatchGuard L2TP Setup Wizard helps you activate and configure Mobile VPN with L2TP on the Firebox. The setup wizard is available only when Mobile VPN with L2TP is not activated. The wizard prompts you to configure these settings:

  • Authentication server
  • Users and groups
  • Virtual IP address pool
  • Authentication method

Settings not included in the wizard are set to their default values. After you complete the wizard, you can edit the Mobile VPN with L2TP configuration to change settings you specified in the wizard and other settings.

You cannot configure Mobile VPN with L2TP if the device configuration already has a branch office VPN gateway that uses main mode and has a remote gateway with a dynamic IP address.

Before You Begin

Authentication Server

You must configure an authentication server for L2TP user authentication before you enable Mobile VPN with L2TP. Make sure that any users and groups you want to use are added to the authentication server. When you configure Mobile VPN with L2TP, you select an authentication server and specify users and groups.

Mobile VPN with L2TP supports two authentication methods: Local authentication on the Firebox (Firebox-DB) and RADIUS. For more information about supported user authentication methods for L2TP, go to About Mobile VPN with L2TP User Authentication.

Dynamic IP Address

If your Firebox has a dynamic IP address, you can configure dynamic DNS so users can specify a domain name in the client settings to connect to the VPN. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, go to About the Dynamic DNS Service.

Network Access Enforcement

To limit mobile VPN connections to devices that follow corporate policy, you can use network access enforcement. Before you enable network access enforcement for groups specified in the Mobile VPN with LT2P configuration, enable and configure network access enforcement at Subscription Services > Network Access Enforcement (Fireware v12.9 or higher). For more information, go to Network Access Enforcement Overview.

In Fireware v12.5.4 to v12.8.x, this feature was called TDR Host Sensor Enforcement. TDR is now end of life and cannot be used for network access enforcement. In the user interface, this feature is no longer functional but is required by the configuration schema. To enable network access enforcement, we recommend that you upgrade to EDR Core. For more information, go to this Knowledge Base article: Host Sensor Upgrade to Endpoint Security.

Default Settings


When you activate Mobile VPN with L2TP, IPSec is enabled by default with these IPSec settings:

Phase 1 transforms:

  • SHA-1, AES(256), and Diffie-Hellman Group 2
  • SHA-1, AES(256), and Diffie-Hellman Group 20
  • SHA2-256, AES(256), and Diffie-Hellman Group 14

The SA life is 8 hours for all transforms.

Phase 2 proposals:

  • ESP-AES128-SHA1
  • ESP-AES256-SHA256

PFS is disabled by default.

IP Address Pool

By default, the Mobile VPN with L2TP address pool is

We recommend that you do not use the private network ranges or on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

For more information about virtual IP address pools, go to Virtual IP Addresses and Mobile VPNs.

User Group

When you enable Mobile VPN with L2TP, the Firebox automatically creates a user group named L2TP-Users. You can add other users and groups in the L2TP configuration. The Firebox automatically includes those users and groups in the L2TP-Users group.

For information about user authentication and multi-factor authentication, go to About Mobile VPN with L2TP User Authentication.


When you activate Mobile VPN with L2TP, the Firebox automatically creates three policies: Allow-IKE-to-Firebox, which is a hidden IPSec policy, Allow L2TP-Users, and WatchGuard L2TP.

The Allow L2TP-Users policy allows the groups and users you configured for L2TP authentication to get access to resources on your network. By default, the To list in the policy includes only the alias Any, which means this policy allows Mobile VPN with L2TP users to access to all network resources.

We recommend that you limit which network resources that Mobile VPN with L2TP users can access through the VPN. To do this, you can replace the Allow L2TP-Users policy. For instructions that explain how to replace the Allow L2TP-Users policy, and for more information about L2TP policies, go to About L2TP Policies.

Other Settings

After you complete the wizard, you can configure additional Mobile VPN with L2TP settings that do not appear in the wizard. For information about other settings, go to Edit the Mobile VPN with L2TP Configuration.

Use the L2TP Setup Wizard

The steps to start the wizard changed in Fireware v12.3. To start the wizard in Fireware Web UI v12.2.1 or lower, select VPN > Mobile VPN with L2TP and click Run Wizard. To start the wizard in Policy Manager v12.2.1 or lower, select VPN > Mobile VPN > L2TP > Activate.

To configure other settings, edit the Mobile VPN with L2TP configuration.

When you enable Mobile VPN with L2TP, two policies are automatically added to allow L2TP traffic. For more information, go to About L2TP Policies.

Related Topics

Mobile VPN with L2TP

Edit the Mobile VPN with L2TP Configuration

Troubleshoot Mobile VPN with L2TP