L2TP VPN
L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or third-party VPN client software.
The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it. See IPSec VPN for information on IPSec VPN.
IPSec Configuration Required for L2TP VPN
You must configure an IPSec VPN connection for L2TP VPN to use (see IPSec VPN for details). The IPSec VPN connection must:
Be enabled.
Use transport mode.
Not be a manual key VPN connection.
Use Pre-Shared Key authentication.
Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address.
Using the Default L2TP VPN Connection
The Default_L2TP_VPN_GW gateway entry is pre-configured to be convenient to use for L2TP VPN. Edit it as follows:
Set My Address to the WAN interface domain name or IP address you want to use.
Replace the default Pre-Shared Key.
Create a host-type address object containing the My Address IP address configured in the Default_L2TP_VPN_GW and set the Default_L2TP_VPN_Connection’s Local Policy to use it.
Policy Route
Configure a policy route to let remote users access resources on a network behind the ZyWALL.
Set the policy route’s Source Address to the address object that you want to allow the remote users to access.
Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users.
Set the next hop to be the VPN tunnel that you are using for L2TP.
To manage the ZyWALL through the L2TP VPN tunnel, create a routing policy that sends the ZyWALL’s return traffic back through the L2TP VPN tunnel.
Set Incoming to ZyWALL.
Set Destination Address to the L2TP address pool.
Set the next hop to be the VPN tunnel that you are using for L2TP.
If some of the traffic from the L2TP clients needs to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk.
Set Incoming to Tunnel and select your L2TP VPN connection.
Set the Source Address to the L2TP address pool.
Set the Next-Hop Type to Trunk and select the appropriate WAN trunk.
Finding Out More
See L2TP VPN with Android, iOS, and Windows for an example of how to create a basic L2TP VPN tunnel.
L2TP VPN Screen
Use this screen to configure the ZyWALL’s L2TP VPN settings.
Note:
Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.
Configuration > VPN > L2TP VPN 
Label
Description
Show Advance Settings / Hide Advance Settings
Click this button to display a greater or lesser number of configuration fields.
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Enable L2TP Over IPSec
Use this field to turn the ZyWALL’s L2TP VPN function on or off.
VPN Connection
Select the IPSec VPN connection the ZyWALL uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN.
Note:
Modifying this VPN connection (or the VPN gateway that it uses) disconnects any existing L2TP VPN sessions.
IP Address Pool
Select the pool of IP addresses that the ZyWALL uses to assign to the L2TP VPN clients. Use Create new Object if you need to configure a new pool of IP addresses.
Note:
This should not conflict with any WAN, LAN, DMZ, or WLAN subnet even if they are not in use.
Authentication Method
Select how the ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel.
The authentication method has the ZyWALL check a user’s user name and password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. See Authentication Method for how to create authentication method objects.
Authentication Server Certificate
Select the certificate to use to identify the ZyWALL for L2TP VPN connections. You must have certificates already configured in the My Certificates screen. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols.
Allowed User
The remote user must log into the ZyWALL to use the L2TP VPN tunnel.
Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if you need to configure a new user account. Otherwise, select any to allow any user with a valid account and password on the ZyWALL to log in.
Keep Alive Timer
The ZyWALL sends a Hello message after waiting this long without receiving any traffic from the remote user. The ZyWALL disconnects the VPN tunnel if the remote user does not respond.
First DNS Server, Second DNS Server
Specify the IP addresses of DNS servers to assign to the remote users. You can specify these IP addresses two ways.
Custom Defined - enter a static IP address.
From ISP - use the IP address of a DNS server that another interface received from its DHCP server.
First WINS Server, Second WINS Server
The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Type the IP addresses of up to two WINS servers to assign to the remote users. You can specify these IP addresses two ways.
Apply
Click Apply to save your changes in the ZyWALL.
Reset
Click Reset to return the screen to its last-saved settings.