Use the WatchGuard L2TP Setup Wizard

The WatchGuard L2TP Setup Wizard helps you activate and configure Mobile VPN with L2TP. The setup wizard is only available when Mobile VPN with L2TP has not been activated. Any Mobile VPN with L2TP settings not configurable in the wizard are set to their default values. When you activate Mobile VPN with L2TP, IPSec is enabled by default.

Before you Begin

When you configure Mobile VPN with L2TP, you select an authentication server and add users and groups for authentication. Make sure that the authentication server you want to use for L2TP user authentication is configured before you enable Mobile VPN with L2TP. Also, make sure that any users and groups you want to use are added to the authentication server.

For more information about supported user authentication methods for L2TP, see About L2TP User Authentication

You cannot configure Mobile VPN with L2TP if the device configuration already has a branch office VPN gateway that uses main mode and has a remote gateway with a dynamic IP address.

Start the L2TP Setup Wizard

  1. Select VPN > Mobile VPN with L2TP.
    The Mobile VPN with L2TP page appears.

Screen shot of the Mobile VPN with L2TP page, Mobile VPN with L2TP disabled

  1. Click Run Wizard.
    The WatchGuard L2TP Setup Wizard appears.
  2. Click Next.
    A list of configured authentication servers appears.

Screen shot of the Mobile VPN with L2TP Setup Wizard, user authentication page.

  1. Select the check box for each authentication server you want to use for Mobile VPN with L2TP user authentication. You can use the internal XTM device database (Firebox-DB) or a RADIUS server if you have configured one.
    For more information about user authentication methods for L2TP, see About L2TP User Authentication.
  2. If you selected more than one authentication server, select the server you want to be the default server. Click Make Default to move that server to the top of the list.
    If users do not specify the authentication server as part of the user name when they authentication from an L2TP client, Mobile VPN with L2TP uses the default authentication server.

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .

  1. Click Next.
    The Authentication Users and Groups page appears. The L2TP-Users group is automatically added by default.

Screen shot of the Mobile VPN with L2TP Setup Wizard - Authentication Users and Groups page

  1. Click Add to add a user or group to authenticate with Mobile VPN with L2TP.
    The Add Authentication User or Group dialog box appears.

Screen shot of the Add Authentication User or Group dialog box.

If you use the Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

  1. After you configure users and groups, click Next.
    The Virtual IP Address Pool page appears.
  2. Click Add.
    The Add Address Pool dialog box appears.

Screen shot of the Add Address Pool dialog box

  1. In the Choose Type drop-down list, select whether to add a an IPv4 host address, network address, or address range. You must add at least two IP addresses to the virtual IP address pool. Type the IP address or range and click OK.
    The address is added to the virtual IP address pool.

Screen shot of the Mobile VPn with L2TP Setup Wizard, Virtual IP Address Pool page

For more information about virtual IP address pools, see Virtual IP Addresses and Mobile VPNs.

  1. After you define the virtual IP address pool, click Next.

    The Select the tunnel authentication method page appears.

Screen shot of the Mobile VPN with L2TP Setup Wizard, tunnel authentication method page

  1. Select an option for IPSec tunnel authentication. There are two options:

Use Pre-Shared Key

Type or paste the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP client.

Use IPSec Firebox Certificate

Select the certificate to use from the table. You must have already imported a certificate to the XTM device to use this option.

For more information, see Certificates for Mobile VPN with L2TP Tunnel Authentication.

  1. Click Next.
  2. Click Finish to exit the wizard and save the configuration.

When you activate Mobile VPN with L2TP, Policy Manager automatically creates two policies to allow the traffic. For more information, see About L2TP Policies.

See Also

Edit the Mobile VPN with L2TP Configuration

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base