About L2TP Policies
When you configure a mobile VPN, the Firebox automatically creates two types of policies:
Connect policy
The connect policy allows the VPN to establish. Mobile VPN with L2TP has two connect policies:
- Allow-IKE-to-Firebox — This policy is hidden, which means it does not appear in the Firebox policies list. In the global VPN settings, the Enable built-in IPSec policy setting controls this policy. Do not clear the Enable built-in IPSec policy check box. For more information about global VPN settings, go to About Global VPN Settings.
- WatchGuard L2TP — This policy allows UDP 1701 traffic from the alias L2TP-IPSec to the Firebox.
We recommend that you do not change the connect policies.
Access policy
The access policy allows Mobile VPN with L2TP groups and users to get access to resources on your network. For Mobile VPN with L2TP, the access policy is named Allow L2TP-Users.
If you use a wizard to enable Mobile VPN with L2TP in Policy Manager:
- You can specify which network resources that L2TP users can access. If you select Allow access to all resources, the To list in the Allow L2TP-Users policy includes only the alias Any. This means that users can access all network resources.
- If you select Restrict access to the resources specified below, the To list in the Allow L2TP-Users policy includes only the resources you specified.
If you use a wizard to enable Mobile VPN with L2TP in Fireware Web UI, the option to specify network resources does not appear. By default, the Allow L2TP-Users policy allows users to access all network resources.
After you complete the wizard in Policy Manager or Fireware Web UI, you can edit the Allow L2TP-Users policy to change the allowed resources.
Only the L2TP-Users group appears in the From list of the Allow L2TP-Users policy. The L2TP-Users group includes any users and groups that you add to the Mobile VPN with L2TP configuration. Users and groups that you add to the Mobile VPN with L2TP configuration do not appear in the From list of the Allow L2TP-Users policy. However, the policy still applies to those users and groups.
Authentication Groups and L2TP Policies
It is important to understand that Firebox policies control which resources that mobile VPN users can access. VPNs are not considered to be part of the Trusted or Optional zones. When users connect to the VPN, they are not considered to be trusted users on the local network.
This means that Firebox policies with the Trusted or Optional aliases in the From list do not apply to traffic from mobile VPN users unless you add mobile VPN groups or users to those policies. Or, you can create new policies for traffic from mobile VPN groups and users.
For example, this policy does not apply to traffic from Mobile VPN with L2TP users because the From list includes only the alias Any-Trusted:
This policy does apply to traffic from Mobile VPN with L2TP users because the From list includes a Mobile VPN with L2TP user group:
This policy also applies to traffic from Mobile VPN with L2TP users because the RADIUS user group TestGroup1 is specified in the Mobile VPN with L2TP configuration:
Carefully consider which user groups you add to Firebox policies. For example, if you add RADIUS user groups to the authentication configuration on your Firebox, and you add the same groups to your Mobile VPN with L2TP configuration, consider adding the RADIUS groups to Firebox policies rather than the default L2TP -Users group. The L2TP -Users group includes all groups and users that you add to the Mobile VPN with L2TP configuration. If you add the L2TP -Users group to a Firebox policy, all mobile users have access to resources specified in that policy, which might not be your intention.
Virtual IP address pools do not affect whether VPN users are considered as trusted users on the local network. For example, if you specify an IP address pool for Mobile VPN with L2TP that overlaps with the IP address range of your local network, mobile VPN users are still not considered as trusted users on the local network.
Best Practices for L2TP Policies
We recommend that you limit which network resources Mobile VPN with L2TP users can access through the VPN. To do this, you can replace the Allow L2TP -Users policy.
To replace the Allow L2TP -Users policy:
- Determine the ports and protocols your users require. To determine this, assess your network with baseline tests and view logs.
- Add Mobile VPN with L2TP groups and users to existing Firebox polices that specify those ports and protocols. For example, you can add Mobile VPN with L2TP groups and users to policies for web traffic.
- If required, add new policies:
- When you select a policy type for the new policy, you can specify a protocol and port.
- In the From list of the policy, specify users or groups. You must specify groups or users included in the Mobile VPN with L2TP configuration. For example, you can specify the default L2TP -Users group. Or, specify groups and users that you added to the Mobile VPN with L2TP configuration.
- In the To list of the policy, remove the Any alias and add other destinations.
- Before you disable the Allow L2TP -Users policy, make sure your policies allow Mobile VPN with L2TP users to access all required network resources.
- Disable the Allow L2TP -Users policy.
Edit the Mobile VPN with L2TP Configuration