Contents

Edit the Mobile VPN with L2TP Configuration

We recommend that you use the WatchGuard L2TP Setup Wizard to set up Mobile VPN with L2TP for the first time. For more information, see Use the WatchGuard L2TP Setup Wizard.

You cannot enable IPSec in the Mobile VPN with L2TP configuration if the device configuration already includes a branch office VPN gateway that uses main mode, and a remote gateway with a dynamic IP address. When you activate Mobile VPN with L2TP, the IPSec settings in the L2TP configuration are enabled by default. If IPSec cannot be enabled because of an existing branch office VPN configuration, a warning message appears when you activate Mobile VPN with L2TP. You can choose to enable L2TP without IPSec, but it is less secure and not recommended.

Edit the Virtual IP Address Pool

On the Network tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with L2TP users over the tunnel. The Firebox uses these addresses only when they are needed. The virtual IP address pool must contain at least two IP addresses.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

To add to the virtual IP address pool:

  1. In the Virtual IP Address Pool section, click Add.
    The Add Address Pool dialog box appears.
  2. From the Choose Type drop-down list, select one of these options:
    • Host IPv4 — to add a single IPv4 address
    • Network IPv4 — to add an IPv4 network address
    • Host Range IPv4 — to add a range of IPv4 addresses
  3. Type the host IP address, network IP address, or IP address range to add.
  4. Click OK.

To remove an IP address or address range from the virtual IP address pool:

  1. Select the IP address entry you want to remove.
  2. Click Remove.

Edit Network Settings

On the Network tab, in the Mobile VPN with L2TP Configuration dialog box, there are several network settings you can configure. The default values are best for most L2TP configurations. We recommend that you do not change these values unless you are sure the change corrects a known problem.

The settings you can configure are:

Keep Alive Timeout

This specifies how often the Firebox sends the L2TP "Hello" message. The default value is 60 seconds.

Retransmission Timeout

This specifies how long the Firebox waits for a message acknowledgement. A message will be retransmitted if the Firebox does not receive an acknowledgement in this time frame. The default value is 5 seconds.

Maximum Retries

This specifies the maximum number of times the Firebox will retransmit a message. If the maximum retries is exceeded, the Firebox closes the connection. The default value is 5.

Maximum Transmission Unit (MTU)

This specifies the maximum packet size to receive in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Maximum Receive Unit (MRU)

This specifies the maximum packet size to send in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Edit the DNS Settings

In Fireware v12.2.1 or higher, you can specify DNS settings in the Mobile VPN with L2TP configuration. On the Networking tab, you can select one of these options:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the first two DNS servers you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the DNS servers you specify in this section. For example, if you specify 10.0.2.53 as the DNS server, mobile clients use 10.0.2.53 as the DNS server.

You can specify up to two DNS server IP addresses.

In Fireware v12.2 or lower, you cannot configure DNS settings in the Mobile VPN with L2TP configuration. Clients automatically receive the DNS servers specified in the Network (global) DNS/WINS settings on the Firebox. WINS servers and the domain name suffix are not inherited. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list. For information about the Network DNS/WINS settings, see Configure Network DNS and WINS Servers.

Edit Authentication Settings

On the Authentication tab you can configure authentication servers and the authorized users and groups.

Configure Authentication Servers

The labels for the authentication server settings are slightly different in Fireware Web UI than in Policy Manager.

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .

Configure Users and Groups

If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

To configure the users and groups to authenticate with Mobile VPN with L2TP, from Fireware Web UI:

  1. In the Users and Groups section, select users and groups for Mobile VPN with L2TP.
  2. To add a new Firebox-DB user or group, select Firebox-DB from the drop-down list.
  3. To add a new RADIUS user or group, select RADIUS from the drop-down list.
  4. To add a new user or group for both Firebox-DB and RADIUS, select Any from the drop-down list.
  5. From the adjacent drop-down list, select User or Group.
  6. Click Add.
    The Firebox User, Firebox Group, or Add User or Group dialog box appears.
  7. Specify the settings for the user or group.

To configure the users and groups to authenticate with Mobile VPN with L2TP, from Policy Manager:

  1. In the Users and Groups section, select users and groups for Mobile VPN with L2TP.
  2. To add a new Firebox-DB user or group, select New > Firebox-DB User/Group.
  3. To add a new RADIUS user or group, select New > External User/Group.
    The Firebox User, Firebox Group, or Add User or Group dialog box appears.
  4. Specify the settings for the user or group.

For more information about user authentication methods for L2TP, see About L2TP User Authentication.

For more information about how to add Firebox-DB users, see Define a New User for Firebox Authentication.

For more information about how to add Firebox-DB groups, see Define a New Group for Firebox Authentication.

For more information about how to add RADIUS users and groups, see Use Users and Groups in Policies.

When you add a user or group and select Firebox-DB as the authentication server, this does not automatically add the user or group to Firebox-DB. Make sure any users or groups you add that use Firebox-DB authentication are also configured in the Firebox authentication settings. For more information, see Configure Your Firebox as an Authentication Server.

Edit L2TP IPSec Settings

Mobile VPN with L2TP can operate with or without IPSec enabled. L2TP with IPSec provides strong encryption and authentication. L2TP without IPSec does not provide strong encryption and authentication. We recommend that you do not disable IPSec in the Mobile VPN with L2TP configuration.

When you enable Mobile VPN with L2TP, IPSec is enabled by default. The only IPSec setting you must configure is the credential method for authentication. The other IPSec Phase 1 settings are set to default values. The default Phase 1 and Phase 2 IPSec settings for Mobile VPN with L2TP are similar to the default Phase 1 and Phase 2 settings in a branch office VPN. You can change them to match the IPSec settings of the L2TP clients you use. The IPSec settings on the L2TP clients must match the settings in the Mobile VPN with L2TP configuration.

Enable or Disable IPSec

  1. Select the IPSec tab.
  2. To disable IPSec for L2TP, clear the Enable IPSec check box.
    To enable IPSec for L2TP, select the Enable IPSec check box.

Configure IPSec Phase 1 Settings

When IPSec is enabled, you must configure the tunnel authentication method in the IPSec Phase 1 settings. You configure the tunnel authentication method in the WatchGuard L2TP Setup Wizard, or you can do it on the IPSec tab.

For more information about advanced Phase 1 settings, see Configure L2TP IPSec Phase 1 Advanced Settings.

Configure IPSec Phase 2 Settings

IPSec Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints. Parameters in the SA can include:

  • Encryption and authentication algorithms used.
  • Lifetime of the SA (in seconds or number of bytes, or both).
  • The IP address of the device for which the SA is established (the device that handles IPSec encryption and decryption on the other side of the VPN, not the computer behind it that sends or receives traffic).
  • Source and destination IP addresses of traffic to which the SA applies.
  • Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming and outgoing).

If users cannot connect to the VPN or to network resources, check for these common causes:

  • Incorrect DNS settings
  • Disabled or deleted policies
  • Incorrect user group settings
  • IP address pool overlap
  • Incorrect route settings

See Also

Mobile VPN with L2TP

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search