Edit the Mobile VPN with L2TP Configuration

We recommend that you use the WatchGuard L2TP Setup Wizard to set up Mobile VPN with L2TP for the first time. For more information, see Use the WatchGuard L2TP Setup Wizard.

To edit the Mobile VPN with L2TP configuration:

  1. Select VPN > Mobile VPN with L2TP.
  2. Click Configure.
    The Mobile VPN with L2TP page appears.

Screen shot of the Mobile VPN with L2TP page, Network tab

  1. Select the Activate Mobile VPN with L2TP check box, if Mobile VPN with L2TP is not already activated.
    Mobile VPN with L2TP is enabled, and IPSec is enabled in the configuration by default.
  2. Use the information in the subsequent sections to configure Mobile VPN with L2TP settings.

You cannot enable IPSec in the Mobile VPN with L2TP configuration if the device configuration already includes a branch office VPN gateway that uses main mode, and a remote gateway with a dynamic IP address. When you activate Mobile VPN with L2TP, the IPSec settings in the L2TP configuration are enabled by default. If IPSec cannot be enabled because of an existing branch office VPN configuration, a warning message appears when you activate Mobile VPN with L2TP. You can choose to enable L2TP without IPSec, though that is less secure and is not recommended.

Edit the Virtual IP Address Pool

On the Network tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with L2TP users over the tunnel. The XTM device uses these addresses only when they are needed. The virtual IP address pool must contain at least two IP addresses.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

To add to the virtual IP address pool:

  1. In the Virtual IP Address Pool section, click Add.
  2. From the Choose Type drop-down list, select one of these options:
  3. Type the host IP address, network IP address, or IP address range to add.
  4. Click OK.

To remove an IP address or address range from the virtual IP address pool:

  1. Select the IP address entry you want to remove.
  2. Click Remove.

Edit Network Settings

On the Network tab in the Mobile VPN with L2TP Configuration dialog box there are several network settings you can configure. The default values are best for most L2TP configurations. We recommend that you do not change these values unless you are sure the change corrects a known problem.

The settings you can configure are:

Keep Alive Timeout

This specifies how often the XTM device sends the L2TP "Hello" message. The default value is 60 seconds.

Retransmission Timeout

This specifies how long the XTM device waits for a message acknowledgement. A message will be retransmitted if the XTM device does not receive an acknowledgement in this time frame. The default value is 5 seconds.

Maximum Retries

This specifies the maximum number of times the XTM device will retransmit a message. If the maximum retries is exceeded, the XTM device closes the connection. The default value is 5.

Maximum Transmission Unit (MTU)

This specifies the maximum packet size to receive in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Maximum Receive Unit (MRU)

This specifies the maximum packet size to send in the PPP session through the L2TP tunnel. The default value is 1400 bytes.

Edit Authentication Settings

On the Authentication tab you can configure authentication servers, and the authorized users and groups.

Configure Authentication Servers

To select the authentication servers to use:

  1. In the Mobile VPN with L2TP page, select the Authentication tab.

Screen shot of the Mobile VPN with L2TP page, Authentication tab

  1. In the Authentication Server Settings section, select the check box for each authentication server you want to use for Mobile VPN with L2TP user authentication. You can use the internal XTM device database (Firebox-DB) or a RADIUS server if you have configured one.
    For more information about user authentication methods for L2TP, see About L2TP User Authentication
  2. If you selected more than one authentication server, select the server you want to be the default server. Click Make Default to move that server to the top of the list.

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .

Configure Users and Groups

If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

To configure the users and groups to authenticate with Mobile VPN with L2TP:

  1. In the Authentication Users and Groups section, click Add.
    The Add Authentication User or Group text box appears.
  2. Set the Type to Group or User.
  3. In the Name text box, type the name of the group or user.
  4. From the Authentication Server drop-down list, select the authentication server where the user or group exists. Or, select All if the group can be used with all selected authentication servers.
  5. Click OK.

For more information about user authentication methods for L2TP, see About L2TP User Authentication

When you add a user or group and select Firebox-DB as the authentication server, this does not automatically add the user or group to Firebox-DB. Make sure any users or groups you add that use Firebox-DB authentication are also configured in the Firebox authentication settings. For more information, see Configure Your Device as an Authentication Server.

Edit L2TP IPSec Settings

Mobile VPN with L2TP can operate with or without IPSec enabled. L2TP with IPSec provides strong encryption and authentication. L2TP without IPSec does not provide strong encryption and authentication. We recommend that you do not disable IPSec in the Mobile VPN with L2TP configuration.

When you enable Mobile VPN with L2TP, IPSec is enabled by default. The only IPSec setting you must configure is the credential method for authentication. The other IPSec Phase 1 settings are set to default values. The default Phase 1 and Phase 2 IPSec settings for Mobile VPN with L2TP are similar to the default Phase 1 and Phase 2 settings in a branch office VPN. You can change them to match the IPSec settings of the L2TP clients you use. The IPSec settings on the L2TP clients must match the settings in the Mobile VPN with L2TP configuration.

Enable or Disable IPSec

  1. In the Mobile VPN with L2TP page, select the IPSec tab.
  2. To disable IPSec for L2TP, clear the Enable IPSec check box.
    or, to enable IPSec for L2TP, select the Enable IPSec check box.

Configure IPSec Phase 1 Settings

When IPSec is enabled, you must configure the tunnel authentication method in the IPSec Phase 1 settings. You configure the tunnel authentication method in the WatchGuard L2TP Setup Wizard, or you can do it on the IPSec tab.

To configure the IPSec tunnel authentication method:

  1. In the Mobile VPN with L2TP page, select the IPSec tab.

Screen shot of the Mobile VPN with L2TP page, IPSec, tab, Phase 1 settings

  1. Select the Phase 1 Settings tab.
  2. Select an option for IPSec tunnel authentication. There are two options:

Use Pre-Shared Key

Type the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP clients.

Use IPSec Firebox Certificate

Select the certificate to use from the table. You must have already imported a certificate to the XTM device to use this option.

For more information about IPSec certificates, see Certificates for Mobile VPN with L2TP Tunnel Authentication.

If you want to generate a configuration for the WatchGuard Mobile VPN app for iOS, you must select Use Pre-Shared Key. For more information, see Configure Mobile VPN with L2TP for Use with iOS Devices.

The default L2TP IPSec configuration contains one default transform set, which appears in the Transform Settings list. This transform specifies SHA-1 authentication, 3DES encryption, and Diffie-Hellman Group 2.

You can:

In the Advanced section, you can configure settings for NAT Traversal and Dead Peer Detection.

For more information about advanced Phase 1 settings, see Configure L2TP IPSec Phase 1 Advanced Settings.

Configure IPSec Phase 2 Settings

IPSec phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the XTM device to know what it should do with the traffic between the endpoints. Parameters in the SA can include:

To configure Phase 2 settings:

  1. In the Mobile VPN with L2TP page, select the IPSec tab.
  2. Select the Phase2 Settings tab.

Screen shot of the Mobile VPN with L2TP page, IPSec Phase 2 settings

  1. Select the Enable Perfect Forward Secrecy check box if you want to enable Perfect Forward Secrecy (PFS).

Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure.

PFS is disabled by default, because many L2TP clients do not support it. Make sure your L2TP clients enable PFS before you enable it in your Mobile VPN with L2TP configuration.

  1. If you enable PFS, select the Diffie-Hellman group.

For more information about Diffie-Hellman groups, see About Diffie-Hellman Groups.

  1. Configure Phase 2 Proposals. The L2TP IPSec configuration contains two default IPSec Phase 2 proposals, which appear in the IPSec Proposals list. You can:

When you activate Mobile VPN with L2TP, Policy Manager automatically creates two policies to allow the traffic. For more information, see About L2TP Policies.

Configure Mobile Clients

After you configure Mobile VPN with L2TP, you can generate the mobile app configuration file to use with the WatchGuard Mobile VPN app for iOS devices. You do this on the Mobile Clients tab. For more information, see Generate and Distribute the L2TP Mobile Client Profile.

See Also

About Mobile VPN with L2TP

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base