Edit the Mobile VPN with L2TP Configuration

We recommend that you use the WatchGuard L2TP Setup Wizard to set up Mobile VPN with L2TP for the first time. For more information, go to Use the WatchGuard L2TP Setup Wizard.

You cannot enable IPSec in the Mobile VPN with L2TP configuration if the device configuration already includes a branch office VPN gateway that uses main mode, and a remote gateway with a dynamic IP address. When you activate Mobile VPN with L2TP, the IPSec settings in the L2TP configuration are enabled by default. If IPSec cannot be enabled because of an existing branch office VPN configuration, a warning message shows when you activate Mobile VPN with L2TP. You can choose to enable L2TP without IPSec, but it is less secure and not recommended.

Edit the Virtual IP Address Pool

On the Network tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with L2TP users over the tunnel. The Firebox uses these addresses only when they are needed. The virtual IP address pool must contain at least two IP addresses.

For more information about virtual IP addresses, go to Virtual IP Addresses and Mobile VPNs.

To add to the virtual IP address pool:

In the Virtual IP Address Pool section, click Add.
The Add Address Pool dialog box opens.
From the Choose Type drop-down list, select one of these options:
- Host IPv4 — to add a single IPv4 address
- Network IPv4 — to add an IPv4 network address
- Host Range IPv4 — to add a range of IPv4 addresses
Type the host IP address, network IP address, or IP address range to add.
Click OK.

To remove an IP address or address range from the virtual IP address pool:

Select the IP address entry you want to remove.
Click Remove.

Edit Network Settings

On the Network tab, in the Mobile VPN with L2TP Configuration dialog box, there are several network settings you can configure. The default values are best for most L2TP configurations. We recommend that you do not change these values unless you are sure the change corrects a known problem.

The settings you can configure are:

Keep Alive Timeout

This specifies how often the Firebox sends the L2TP "Hello" message. The default value is 60 seconds.

Retransmission Timeout

This specifies how long the Firebox waits for a message acknowledgement. A message will be retransmitted if the Firebox does not receive an acknowledgement in this time frame. The default value is 5 seconds.

Maximum Retries

This specifies the maximum number of times the Firebox will retransmit a message. If the maximum retries is exceeded, the Firebox closes the connection. The default value is 5.

Maximum Transmission Unit (MTU)

This specifies the maximum packet size to receive in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Maximum Receive Unit (MRU)

This specifies the maximum packet size to send in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Edit the DNS Settings

In Fireware v12.2.1 or higher, you can specify DNS settings in the Mobile VPN with L2TP configuration. On the Networking tab, you can select one of these options:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the first two DNS servers you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the DNS servers you specify in this section. For example, if you specify 10.0.2.53 as the DNS server, mobile clients use 10.0.2.53 as the DNS server.

You can specify up to two DNS server IP addresses.

You cannot specify a domain name suffix in the Mobile VPN with L2TP settings on the Firebox. L2TP VPN clients do not use the domain name configured in the Firebox network DNS settings as a suffix. To manually configure these settings for the Windows 10 VPN client, go to Configure DNS server and suffix settings in IKEv2 and L2TP VPN clients in the WatchGuard Knowledge Base.

In Fireware v12.2 or lower, you cannot configure DNS settings in the Mobile VPN with L2TP configuration. Clients automatically receive the DNS servers specified in the Network (global) DNS/WINS settings on the Firebox. WINS servers and the domain name suffix are not inherited. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list. For information about the Network DNS/WINS settings, go to Configure Network DNS and WINS Servers.

Edit Authentication Settings

On the Authentication tab you can configure authentication servers and the authorized users and groups.

Configure Authentication Servers (Fireware v12.5 or Higher)

Configure Authentication Servers (Fireware v12.4.1 or Lower)

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, go to Connect from an L2TP VPN Client.

Configure Users and Groups

If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

To configure the users and groups to authenticate with Mobile VPN with L2TP, from Fireware Web UI:

Select VPN > Mobile VPN.
In the L2TP section, click Configure.
Click the Authentication tab.
In the Users and Groups section, select users and groups for Mobile VPN with L2TP.
To add a new Firebox-DB user or group, select Firebox-DB from the drop-down list.
To add a new RADIUS user or group, select RADIUS from the drop-down list.
To add a new user or group for both Firebox-DB and RADIUS, select Any from the drop-down list.
From the adjacent drop-down list, select User or Group.
Click Add.
The Firebox User, Firebox Group, or Add User or Group dialog box opens.
Specify the settings for the user or group.
(Optional) To apply network access enforcement settings to Mobile VPN with L2TP groups:
1. Select the check box for a group.
2. In the Network Access Enforcement column, select Yes.
To disable enforcement for a group, select the check box for that group and select No.

In Fireware v12.5.4 to v12.8.x, this feature was called TDR Host Sensor Enforcement. TDR is now end of life and cannot be used for network access enforcement. In the user interface, this feature is no longer functional but is required by the configuration schema. To enable network access enforcement, we recommend that you upgrade to EDR Core. For more information, go to this Knowledge Base article: Host Sensor Upgrade to Endpoint Security.

To configure the users and groups to authenticate with Mobile VPN with L2TP, from Policy Manager:

Select VPN > Mobile VPN > L2TP.
Click the Authentication tab.
In the Users and Groups section, select users and groups for Mobile VPN with L2TP.
To add a new Firebox-DB user or group, select New > Firebox-DB User/Group.
To add a new RADIUS user or group, select New > External User/Group.
The Firebox User, Firebox Group, or Add User or Group dialog box opens.
Specify the settings for the user or group.
(Optional) To apply enforcement settings to Mobile VPN with L2TP groups:
1. Select the check box for a group.
2. Select the Network Access Enforcement check box.
To disable enforcement for a group, select the check box for that group and select No.

For more information about network access enforcement, go to Network Access Enforcement Overview.

For more information about user authentication methods for L2TP, go to About Mobile VPN with L2TP User Authentication.

For more information about how to add Firebox-DB users, go to Define a New User for Firebox Authentication.

For more information about how to add Firebox-DB groups, go to Define a New Group for Firebox Authentication.

For more information about how to add RADIUS users and groups, go to Use Users and Groups in Policies.

When you add a user or group and select Firebox-DB as the authentication server, this does not automatically add the user or group to Firebox-DB. Make sure any users or groups you add that use Firebox-DB authentication are also configured in the Firebox authentication settings. For more information, go to Configure Your Firebox as an Authentication Server.

Edit L2TP IPSec Settings

Mobile VPN with L2TP can operate with or without IPSec enabled. L2TP with IPSec provides strong encryption and authentication. L2TP without IPSec does not provide strong encryption and authentication. We recommend that you do not disable IPSec in the Mobile VPN with L2TP configuration.

When you enable Mobile VPN with L2TP, IPSec is enabled by default. The only IPSec setting you must configure is the credential method for authentication. The other IPSec Phase 1 settings are set to default values. The default Phase 1 and Phase 2 IPSec settings for Mobile VPN with L2TP are similar to the default Phase 1 and Phase 2 settings in a branch office VPN. You can change them to match the IPSec settings of the L2TP clients you use. The IPSec settings on the L2TP clients must match the settings in the Mobile VPN with L2TP configuration.

Enable or Disable IPSec

Select the IPSec tab.
To disable IPSec for L2TP, clear the Enable IPSec check box.
To enable IPSec for L2TP, select the Enable IPSec check box.

Configure IPSec Phase 1 Settings

When IPSec is enabled, you must configure the tunnel authentication method in the IPSec Phase 1 settings. You configure the tunnel authentication method in the WatchGuard L2TP Setup Wizard, or you can do it on the IPSec tab.

To configure the IPSec tunnel authentication method, from Fireware Web UI:

In the Mobile VPN with L2TP page, select the IPSec tab.

Screen shot of the Mobile VPN with L2TP page, IPSec, tab, Phase 1 settings

Select the Phase 1 Settings tab.
Select an option for IPSec tunnel authentication. There are two options:

Use Pre-Shared Key

Type the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP clients. The shared key can be up to 79 characters in length.

Use IPSec Firebox Certificate

Select the certificate to use from the table. You must have already imported a certificate to the Firebox to use this option.

For more information about IPSec certificates, go to Certificates for Mobile VPN with L2TP Tunnel Authentication.

The default L2TP IPSec configuration contains three default transform sets which appear in the Transform Settings list:

SHA-1, AES(256), and Diffie-Hellman Group 2
SHA-1, AES(256), and Diffie-Hellman Group 20
SHA2-256, AES(256), and Diffie-Hellman Group 14

You can:

Use the default transform sets.
Remove the transform sets and replace them with a new ones.
Add additional transforms as explained in Add an L2TP IPSec Phase 1 Transform.

In the Advanced section, you can configure settings for NAT Traversal and Dead Peer Detection.

To configure the IPSec tunnel authentication method, from Policy Manager:

In the Mobile VPN with L2TP Configuration dialog box, select the IPSec tab.

Screen shot of the Mobile VPN with L2TP Configuration dialog box, IPSec Phase1 settings

Select the Phase 1 Settings tab.
Select an option for IPSec tunnel authentication. There are two options:

Use Pre-Shared Key

Type the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP clients. The shared key can be up to 79 characters in length.

Use IPSec Certificate

Select the certificate to use from the table. You must have already imported a certificate to the Firebox to use this option.

For more information about IPSec certificates, go to Certificates for Mobile VPN with L2TP Tunnel Authentication.

The default L2TP IPSec configuration contains three default transform sets which appear in the Transform Settings list:

SHA-1, AES(256), and Diffie-Hellman Group 2
SHA-1, AES(256), and Diffie-Hellman Group 20
SHA2-256, AES(256), and Diffie-Hellman Group 14

You can:

Use the default transform sets.
Remove the transform sets and replace them with a new ones.
Add additional transforms as explained in Add an L2TP IPSec Phase 1 Transform.

To set advanced IPSec Phase 1 settings, click Advanced.

For more information about advanced Phase 1 settings, go to Configure L2TP IPSec Phase 1 Advanced Settings.

Configure IPSec Phase 2 Settings

IPSec Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints. Parameters in the SA can include:

Encryption and authentication algorithms used.
Lifetime of the SA (in seconds or number of bytes, or both).
The IP address of the device for which the SA is established (the device that handles IPSec encryption and decryption on the other side of the VPN, not the computer behind it that sends or receives traffic).
Source and destination IP addresses of traffic to which the SA applies.
Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming and outgoing).

To configure Phase 2 settings, from Policy Manager:

In the Mobile VPN with L2TP Configuration dialog box, select the IPSec tab.
Select the Phase 2 Settings tab.

Screen shot of the Mobile VPN with L2TP Configuration dialog box, IPSec Phase2 settings

Select the PFS check box if you want to enable Perfect Forward Secrecy (PFS).

Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure.

PFS is disabled by default because many L2TP clients do not support it. Make sure your L2TP clients enable PFS before you enable it in your Mobile VPN with L2TP configuration.

If you enable PFS, select the Diffie-Hellman group.

For more information about Diffie-Hellman groups, go to About Diffie-Hellman Groups.

Configure the Phase 2 proposals. The L2TP IPSec configuration contains three default IPSec Phase 2 proposals which show in the IPSec Proposals list. You can:

Use the default proposals.
Remove the default proposals and add new ones.
Add additional proposals, as explained in Add an L2TP IPSec Phase 2 Proposal.

When you activate Mobile VPN with L2TP, Policy Manager automatically creates two policies to allow the traffic. For more information, go to About L2TP Policies

If users cannot connect to the VPN or to network resources, go to Troubleshoot Mobile VPN with L2TP.