Contents

Related Topics

Use the WatchGuard L2TP Setup Wizard

The WatchGuard L2TP Setup Wizard helps you activate and configure Mobile VPN with L2TP. The setup wizard is only available when Mobile VPN with L2TP has not been activated. Any Mobile VPN with L2TP settings not configurable in the wizard are set to their default values. When you activate Mobile VPN with L2TP, IPSec is enabled by default with these IPSec settings:

Phase 1 transforms

  • SHA-1, AES(256), and Diffie-Hellman Group 2
  • SHA-1, AES(256), and Diffie-Hellman Group 20
  • SHA2-256, AES(256), and Diffie-Hellman Group 14

The SA life is 8 hours for all transforms.

Phase 2 proposals

  • ESP-AES-SHA1
  • ESP-AES128-SHA1
  • ESP-AES256-SHA256

PFS is disabled.

You can edit these settings after you run the wizard if your L2TP clients require different settings.

Before You Begin

When you configure Mobile VPN with L2TP, you select an authentication server and add users and groups for authentication. Make sure that the authentication server you want to use for L2TP user authentication is configured before you enable Mobile VPN with L2TP. Also, make sure that any users and groups you want to use are added to the authentication server.

For more information about supported user authentication methods for L2TP, see About L2TP User Authentication

You cannot configure Mobile VPN with L2TP if the device configuration already has a branch office VPN gateway that uses main mode and has a remote gateway with a dynamic IP address.

Use the L2TP Setup Wizard

To use the L2TP Setup Wizard, from Fireware Web UI:Closed
  1. Select VPN > Mobile VPN with L2TP.
    The Mobile VPN with L2TP page appears.

Screen shot of the Mobile VPN with L2TP page, Mobile VPN with L2TP disabled

  1. Click Run Wizard.
    The WatchGuard L2TP Setup Wizard appears.
  2. Click Next.
    A list of configured authentication servers appears.

Screen shot of the Mobile VPN with L2TP Setup Wizard, user authentication page.

  1. Select the check box for each authentication server you want to use for Mobile VPN with L2TP user authentication. You can use the internal Firebox database (Firebox-DB) or a RADIUS server if you have configured one.
    For more information about user authentication methods for L2TP, see About L2TP User Authentication.
  2. If you selected more than one authentication server, select the server you want to be the default server. Click Make Default to move that server to the top of the list.
    If users do not specify the authentication server as part of the user name when they authentication from an L2TP client, Mobile VPN with L2TP uses the default authentication server.

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .

  1. Click Next.
    The Authentication Users and Groups page appears. The L2TP-Users group is automatically added by default.

Screen shot of the Mobile VPN with L2TP Setup Wizard - Authentication Users and Groups page

  1. Click Add to add a user or group to authenticate with Mobile VPN with L2TP.
    The Add Authentication User or Group dialog box appears.

Screen shot of the Add Authentication User or Group dialog box.

If you use the Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

  • Set the Type to Group or User.
  • In the Name text box, type the name of the group or user.
  • From the Authentication Server drop-down list, select the authentication server where the user or group exists. Or, select Any if the group can be used with all selected authentication servers.
  • Click OK.
  1. After you configure users and groups, click Next.
    The Virtual IP Address Pool page appears.
  2. Click Add.
    The Add Address Pool dialog box appears.

Screen shot of the Add Address Pool dialog box

  1. In the Choose Type drop-down list, select whether to add an IPv4 host address, network address, or address range. You must add at least two IP addresses to the virtual IP address pool. Type the IP address or range and click OK.
    The address is added to the virtual IP address pool.

Screen shot of the Mobile VPn with L2TP Setup Wizard, Virtual IP Address Pool page

For more information about virtual IP address pools, see Virtual IP Addresses and Mobile VPNs.

  1. After you define the virtual IP address pool, click Next.
    The Tunnel authentication method page appears.

Screen shot of the Mobile VPN with L2TP Setup Wizard, tunnel authentication method page

  1. Select an option for IPSec tunnel authentication. There are two options:

Use Pre-Shared Key

Type or paste the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP client.

Use IPSec Firebox Certificate

Select the certificate to use from the table. You must have already imported a certificate to the Firebox to use this option.

To use certificates for authentication, you must install the certificate on all devices that connect.

For more information, see Certificates for Mobile VPN with L2TP Tunnel Authentication.

  1. Click Next.
  2. Click Finish to save the configuration and exit the wizard.
To use the L2TP Setup Wizard, from Policy Manager:Closed
  1. Select VPN > Mobile VPN > L2TP > Activate.
    The WatchGuard L2TP Setup Wizard appears.
  2. Click Next.
    A list of configured authentication servers appears.

Screen shot of the WatchGuard L2TP Setup Wizard - Select the user authentication servers page

  1. Select the check box for each authentication server you want to use for Mobile VPN with L2TP user authentication. You can use the internal Firebox database (Firebox-DB) or a RADIUS server if you have configured one.
    For more information about user authentication methods for L2TP, see About L2TP User Authentication
  2. If you selected more than one authentication server, select the server you want to be the default server. Click Make Default to move that server to the top of the list.
    If users do not specify the authentication server as part of the user name when they authentication from an L2TP client, Mobile VPN with L2TP uses the default authentication server.

If you select more than one authentication server, users who use the non-default authentication server must specify the authentication server or domain as part of the user name. For more information and examples, see Connect from an L2TP VPN Client .

  1. After you have selected authentication servers, click Next.
    The Add authorized users and groups page appears. The L2TP-Users group is automatically added by default.

Screen shot of the WatchGuard L2TP Setup Wizard - Add authorized users and groups page

  1. Add users and groups to authenticate with Mobile VPN with L2TP.

If you use the Firebox-DB for authentication you must use the L2TP-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with L2TP. For each group or user you add, you can select the authentication server where the group exists, or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

  • Set the Type to Group or User.
  • In the Name text box, type the name of the group or user.
  • From the Authentication Server drop-down list, select the authentication server where the user or group exists. Or, select All if the group can be used with all selected authentication servers.
  • Click Add.
  1. After you configure users and groups, click Next.
    The Configure the allowed resources page appears.

Screen shot of the WatchGuard L2TP Setup Wizard - Configure the allowed resources page

The allowed resources determine what the wizard puts in the To section of the automatically generated Allow L2TP-Users policy. Unless you restrict access to specific resources, the Allow L2TP-Users policy allows access to Any.

  1. To limit access, select Restrict access to the resources specified below.
  2. Click Add to add network IP address ranges, aliases, or other resources you want Mobile VPN with L2TP users to have access to.
  3. After you have configured the allowed resources, click Next.
    The Define the virtual IP address pool page appears.

Screen shot of the WatchGuard L2TP Setup Wizard - Define the virtual IP address pool page

  1. Click Add to add an IPv4 host address, network address, or address range. You must add at least two IP addresses to the virtual IP address pool.

For more information about virtual IP address pools, see Virtual IP Addresses and Mobile VPNs.

  1. After you define the virtual IP address pool, click Next.
    The Select the tunnel authentication method page appears.

Screen shot of the WatchGuard L2TP Setup Wizard - Select the tunnel authentication method page

  1. Select an option for IPSec tunnel authentication. There are two options:

Use Pre-Shared Key

Type or paste the shared key. You must use the same pre-shared key in the IPSec settings on the L2TP client.

Use IPSec Certificate

Select the certificate to use from the table. You must have already imported a certificate to the Firebox to use this option.

For more information, see Certificates for Mobile VPN with L2TP Tunnel Authentication.

  1. Click Next.
    The L2TP wizard is complete.
  2. If you want to edit the L2TP configuration after the wizard is finished, select the Open the L2TP configuration dialog check box. Click Finish to close the wizard.
    Mobile VPN with L2TP is enabled, and the required L2TP policies are automatically added.

When you enable Mobile VPN with IPSec, two policies are automatically added to allow L2TP traffic. For more information, see About L2TP Policies.

See Also

Edit the Mobile VPN with L2TP Configuration

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.