We recommend that you use the WatchGuard L2TP Setup Wizard to set up Mobile VPN with L2TP for the first time. For more information, see Use the WatchGuard L2TP Setup Wizard.
To edit the Mobile VPN with L2TP configuration:
You cannot enable IPSec in the Mobile VPN with L2TP configuration if the device configuration already includes a branch office VPN gateway that uses main mode, and a remote gateway with a dynamic IP address. When you activate Mobile VPN with L2TP, the IPSec settings in the L2TP configuration are enabled by default. If IPSec cannot be enabled because of an existing branch office VPN configuration, a warning message appears when you activate Mobile VPN with L2TP. You can choose to enable L2TP without IPSec, though that is less secure and is not recommended.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
To add to the virtual IP address pool:
To remove an IP address or address range from the virtual IP address pool:
The settings you can configure are:
Keep Alive Timeout
This specifies how often the XTM device sends the L2TP "Hello" message. The default value is 60 seconds.
This specifies how long the XTM device waits for a message acknowledgement. A message will be retransmitted if the XTM device does not receive an acknowledgement in this time frame. The default value is 5 seconds.
This specifies the maximum number of times the XTM device will retransmit a message. If the maximum retries is exceeded, the XTM device closes the connection. The default value is 5.
Maximum Transmission Unit (MTU)
This specifies the maximum packet size to receive in the PPP session through the L2TP tunnel. The default value is 1400 bytes.
Maximum Receive Unit (MRU)
This specifies the maximum packet size to send in the PPP session through the L2TP tunnel. The default value is 1400 bytes.
On the Authentication tab you can configure authentication servers, and the authorized users and groups.
To select the authentication servers to use:
If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .
If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.
To configure the users and groups to authenticate with Mobile VPN with L2TP:
For more information about user authentication methods for L2TP, see About L2TP User Authentication
When you add a user or group and select Firebox-DB as the authentication server, this does not automatically add the user or group to Firebox-DB. Make sure any users or groups you add that use Firebox-DB authentication are also configured in the Firebox authentication settings. For more information, see Configure Your Device as an Authentication Server.
Mobile VPN with L2TP can operate with or without IPSec enabled. L2TP with IPSec provides strong encryption and authentication. L2TP without IPSec does not provide strong encryption and authentication. We recommend that you do not disable IPSec in the Mobile VPN with L2TP configuration.
When you enable Mobile VPN with L2TP, IPSec is enabled by default. The only IPSec setting you must configure is the credential method for authentication. The other IPSec Phase 1 settings are set to default values. The default Phase 1 and Phase 2 IPSec settings for Mobile VPN with L2TP are similar to the default Phase 1 and Phase 2 settings in a branch office VPN. You can change them to match the IPSec settings of the L2TP clients you use. The IPSec settings on the L2TP clients must match the settings in the Mobile VPN with L2TP configuration.
When IPSec is enabled, you must configure the tunnel authentication method in the IPSec Phase 1 settings. You configure the tunnel authentication method in the WatchGuard L2TP Setup Wizard, or you can do it on the IPSec tab.
To configure the IPSec tunnel authentication method:
Use Pre-Shared Key
Type the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP clients.
Select the certificate to use from the table. You must have already imported a certificate to the XTM device to use this option.
For more information about IPSec certificates, see Certificates for Mobile VPN with L2TP Tunnel Authentication.
If you want to generate a configuration for the WatchGuard Mobile VPN app for iOS, you must select Use Pre-Shared Key. For more information, see Configure Mobile VPN with L2TP for Use with iOS Devices.
The default L2TP IPSec configuration contains one default transform set, which appears in the Transform Settings list. This transform specifies SHA-1 authentication, 3DES encryption, and Diffie-Hellman Group 2.
In the Advanced section, you can configure settings for NAT Traversal and Dead Peer Detection.
For more information about advanced Phase 1 settings, see Configure L2TP IPSec Phase 1 Advanced Settings.
IPSec phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the XTM device to know what it should do with the traffic between the endpoints. Parameters in the SA can include:
To configure Phase 2 settings:
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure.
PFS is disabled by default, because many L2TP clients do not support it. Make sure your L2TP clients enable PFS before you enable it in your Mobile VPN with L2TP configuration.
For more information about Diffie-Hellman groups, see About Diffie-Hellman Groups.
When you activate Mobile VPN with L2TP, Policy Manager automatically creates two policies to allow the traffic. For more information, see About L2TP Policies.
After you configure Mobile VPN with L2TP, you can generate the mobile app configuration file to use with the WatchGuard Mobile VPN app for iOS devices. You do this on the Mobile Clients tab. For more information, see Generate and Distribute the L2TP Mobile Client Profile.
About Mobile VPN with L2TP