L2TP over IPsec
This is an example of L2TP over IPsec.
This example uses a locally defined user for authentication, a Windows PC or Android tablet as the client, and net‑device
is set to enable
in the phase1‑interface
settings. If net-device
is set to disable
, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.
To configure L2TP over an IPsec tunnel using the GUI:
- Go to VPN > IPsec Wizard.
- Enter a VPN Name. In this example, L2tpoIPsec.
- Configure the following settings for VPN Setup:
- For Template Type, select Remote Access.
- For Remote Device Type, select Native and Windows Native.
- Click Next.
- Configure the following settings for Authentication:
- For Incoming Interface, select port9.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter your-psk as the key.
- For User Group, select L2tpusergroup
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select port10.
- Configure the Local Address as 172.16.101.0.
- Configure the Client Address Range as 10.10.10.1-10.10.10.100.
- Leave the Subnet Mask at its default value.
- Click Create.
To configure L2TP over an IPsec tunnel using the CLI:
- Configure the WAN interface and static route on HQ.
config system interface edit "port9" set alias "WAN" set ip 22.1.1.1 255.255.255.0 next edit "port10" set alias "Internal" set ip 172.16.101.1 255.255.255.0 next end config router static edit 1 set gateway 22.1.1.2 set device "port9" next end
- Configure IPsec phase1-interface and phase2-interface on HQ.
config vpn ipsec phase1-interface edit "L2tpoIPsec" set type dynamic set interface "port9" set peertype any set proposal aes256-md5 3des-sha1 aes192-sha1 set dpd on-idle set dhgrp 2 set net-device enable set psksecret sample set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "L2tpoIPsec" set phase1name "L2tpoIPsec" set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable set encapsulation transport-mode set l2tp enable next end
- Configure a user and user group on HQ.
config user local edit "usera" set type password set passwd usera next end config user group edit "L2tpusergroup" set member "usera" next end
- Configure L2TP on HQ.
config vpn l2tp set status enable set eip 10.10.10.100 set sip 10.10.10.1 set usrgrp "L2tpusergroup" end
- Configure a firewall address that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established.
config firewall address edit "L2TPclients" set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.100 next end
- Configure a firewall policy.
config firewall policy edit 1 set name "Bridge_IPsec_port9_for_l2tp negotiation" set srcintf "L2tpoIPsec" set dstintf "port9" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "L2TP" next edit 2 set srcintf "L2tpoIPsec" set dstintf "port10" set srcaddr "L2TPclients" set dstaddr "172.16.101.0" set action accept set schedule "always" set service "ALL" set nat enable next end
To view the VPN tunnel list on HQ:
diagnose vpn tunnel list list all ipsec tunnel in vd 0 ---- name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0 bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg parent=L2tpoIPsec index=0 proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=470 txp=267 rxb=57192 txb=12679 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:10.1.100.15-10.1.100.15:0 SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048 seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0 life: type=01 bytes=0/0 timeout=3585/3600 dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432 enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9 ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744 npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0 ---- name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916 bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg parent=L2tpoIPsec index=1 proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0 stat: rxp=5 txp=4 rxb=592 txb=249 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:22.1.1.2-22.1.1.2:0 SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000005 itn=0 life: type=01 bytes=0/0 timeout=28790/28800 dec: spi=ca646446 esp=aes key=32 ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec enc: spi=0b514df2 esp=aes key=32 a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196 ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d dec:pkts/bytes=5/245, enc:pkts/bytes=4/464 npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0
To view the L2TP VPN status:
diagnose debug enable diagnose vpn l2tp status ---- ---- HQ # Num of tunnels: 2 ---- Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701 control_seq_num = 2, control_rec_seq_num = 4, last recv pkt = 2 Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1, assigned ip = 10.10.10.2 data_seq_num = 0, tx = 152 bytes (2), rx= 21179 bytes (205) Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825 control_seq_num = 2, control_rec_seq_num = 4, last recv pkt = 2 Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2, assigned ip = 10.10.10.3 data_seq_num = 0, tx = 152 bytes (2), rx= 0 bytes (0) ---- --VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100 enforece-ipsec = false ----