L2TP VPN
L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the Zyxel Device. The remote users do not need their own IPSec gateways or third-party VPN client software.
Note:
The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it.
IPSec Configuration Required for L2TP VPN
You must configure an IPSec VPN connection prior to proper L2TP VPN usage . The IPSec VPN connection must:
• Be enabled.
• Use transport mode.
• Use Pre-Shared Key authentication.
• Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address.
Using the Quick Setup VPN Setup Wizard
The VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click Configuration > Quick Setup > VPN Setup > VPN Settings for L2TP VPN Settings to get started.
Policy Route
The Policy Route for return traffic (from LAN to L2TP clients) is automatically created when f some of the traffic from the L2TP clients needs to go to the Internet, you will need to create a policy route to send that traffic from the L2TP tunnels out through a WAN trunk. This task can be easily performed by clicking the Allow L2TP traffic through WAN checkbox at Quick Setup > VPN Setup > Allow L2TP traffic through WAN.
L2TP VPN Screen
Use this screen to configure the Zyxel Device’s L2TP VPN settings.
Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.
Label | Description |
|---|---|
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Create new Object | Use to configure any new settings objects that you need to use in this screen. |
Enable L2TP Over IPSec | Use this field to turn the Zyxel Device’s L2TP VPN function on or off. |
VPN Connection | Select the IPSec VPN connection the Zyxel Device uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN.  Modifying this VPN connection (or the VPN gateway that it uses) disconnects any existing L2TP VPN sessions. |
IP Address Pool | Select the pool of IP addresses that the Zyxel Device uses to assign to the L2TP VPN clients. Use Create new Object if you need to configure a new pool of IP addresses. This should not conflict with any WAN, LAN, DMZ or WLAN subnet even if they are not in use. |
Authentication Method | Select how the Zyxel Device authenticates a remote user before allowing access to the L2TP VPN tunnel. The authentication method has the Zyxel Device check a user’s user name and password against the Zyxel Device’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. |
Authentication Server Certificate | Select the certificate to use to identify the Zyxel Device for L2TP VPN connections. You must have certificates already configured in the My Certificates screen The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols. |
Allowed User | The remote user must log into the Zyxel Device to use the L2TP VPN tunnel. Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if you need to configure a new user account. Otherwise, select any to allow any user with a valid account and password on the Zyxel Device to log in. |
Keep Alive Timer | The Zyxel Device sends a Hello message after waiting this long without receiving any traffic from the remote user. The Zyxel Device disconnects the VPN tunnel if the remote user does not respond. |
First DNS Server, Second DNS Server | Specify the IP addresses of DNS servers to assign to the remote users. You can specify these IP addresses two ways. Custom Defined - enter a static IP address. From ISP - use the IP address of a DNS server that another interface received from its DHCP server. |
First WINS Server, Second WINS Server | The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Type the IP addresses of up to two WINS servers to assign to the remote users. You can specify these IP addresses two ways. |
Apply | Click Apply to save your changes in the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
L2TP and Zyxel Device Behind a NAT Router
If the Zyxel Device is behind a NAT router, then do the following for remote clients to access the network behind the Zyxel Device using L2TP over IPv4.
1 L2TP and Zyxel Device Behind a NAT RouterCreate an address object in Configuration > Object > Address/GEO IP > Address for the WAN IP address of the NAT router.
2 Go to Configuration > VPN > IPSec VPN > VPN Connection and click Add for IPv4 Configuration to create a new VPN connection.
3 Select Remote Access (Server Role) as the VPN scenario for the remote client.
4 Select the NAT router WAN IP address object as the Local Policy.
5 Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured.