VPN_l2tpServerSetup

VPN > L2TP Server

The SonicWALL SuperMassive can terminate L2TP-over-IPsec connections from incoming Microsoft Windows or Google Droid clients. In situations where running the SonicWALL Global VPN Client is not possible, you can use the SonicWALL L2TP Server to provide secure access to resources behind the SonicWALL SuperMassive appliances.

You can use Layer 2 Tunneling Protocol (L2TP) to create VPN over public networks such as the Internet. L2TP provides interoperability between different VPN vendors that protocols such as PPTP and L2F do not, although L2TP combines the best of both protocols and is an extension of them.

L2TP supports several of the authentication options supported by PPP, including Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). You can use L2TP to authenticate the endpoints of a VPN tunnel to provide additional security, and you can implement it with IPsec to provide a secure, encrypted VPN solution.

This chapter includes the following sections:

• “Configuring the L2TP Server” section on page 575

• “Viewing Currently Active L2TP Sessions” section on page 576

• “Configuring Microsoft Windows L2TP VPN Client Access” section on page 576

• “Configuring Google Droid L2TP VPN Client Access” section on page 578

Note         For more complete information on configuring the L2TP Server, see the technote Configuring the L2TP Server in SonicOS located on the SonicWALL documentation site:
http://www.sonicwall.com/us/Support.html.

Configuring the L2TP Server

The VPN > L2TP Server page provides the settings for configuring the SonicWALL SuperMassive as a LT2P Server.

To configure the L2TP Server, follow these steps:

1. To enable L2TP Server functionality on the SonicWALL SuperMassive, select Enable L2TP Server. Then click Configure to display the L2TP Server Configuration window.

2. Enter the number of seconds in the Keep alive time (secs) field to send special packets to keep the connection open. The default is 60 seconds.

3. Enter the IP address of your first DNS server in the DNS Server 1 field. If you have a second DNS server, type the IP address in the DNS Server 2 field.

4. Enter the IP address of your first WINS server in the WINS Server 1 field. If you have a second WINS server, type the IP address in the WINS Server 2 field.

5. Select IP address provided by RADIUS/LDAP Server if a RADIUS/LDAP server provides IP addressing information to the L2TP clients.

6. If the L2TP Server provides IP addresses, select Use the Local L2TP IP pool. Enter the range of private IP addresses in the Start IP and End IP fields. The private IP addresses should be a range of IP addresses on the LAN.

7. If you have configured a specific user group defined for using L2TP, select it from the User Group for L2TP users menu or use Everyone.

8. Click OK.

Viewing Currently Active L2TP Sessions

• User Name - The user name assigned in the local user database or the RADIUS user database.

• PPP IP - The source IP address of the connection.

• Zone - The zone used by the LT2P client.

• Interface - The interface used to access the L2TP Server, whether it is a VPN client or another SonicWALL SuperMassive.

• Authentication - Type of authentication used by the L2TP client.

• Host Name - The name of the L2TP client connecting to the L2TP Server.

Configuring Microsoft Windows L2TP VPN Client Access

This section provides a configuration example for enabling L2TP client access to the SonicWALL WAN GroupVPN SA using the built-in L2TP Server and Microsoft's L2TP VPN Client.

To enable Microsoft L2TP VPN Client access to the SonicWALL WAN GroupVPN SA, perform the following steps:

1. Navigate to the VPN > Settings page. For the WAN GroupVPN policy, click the configure icon button.

2. For the General tab, select IKE using Preshared Secret from the Authentication Method pull-down menu. Enter a shared secret passphrase to complete the client policy configuration. And click the OK button.

3. Navigate to the VPN > L2TP Server page. In the L2TP Server Settings section, click the Enable the L2TP Server checkbox. And click the Configure button. The L2TP Server Settings configuration page displays.

4. Provide the following L2TP server settings:

• Keep alive time (secs): 60

• DNS Server 1: 199.2.252.10 (or use your ISP's DNS)

• DNS Server 2: 4.2.2.2 (or use your ISP's DNS)

• DNS Server 3: 0.0.0.0 (or use your ISP's DNS)

• WINS Server 1: 0.0.0.0 (or use your WINS IP)

• WINS Server 2: 0.0.0.0 (or use your WINS IP)

5. Provide the IP address settings:

• IP address provided by RADIUS/LDAP Server: Disabled

• Use the Local L2TP IP Pool: Enabled

• Start IP: 10.20.0.1 (example)

• End IP: 10.20.0.20 (example)

Note         Use any unique private range.

6. In the L2TP Users section, select Trusted Users from the User Group for L2TP Users pull-down menu.

7. Navigate to the Users > Local Users page. Click the Add User button.

8. In the Settings tab, specify a user name and password.

9. In the VPN Access tab, add the desired network address object(s) that the L2TP clients to the access list networks.

Note         Alternatively you can add these networks to the 'Everyone' or 'Trusted Users' Group.

10. Navigate to the Network > NAT Policies page. Click the Add... button to add a new NAT policy.

11. Add a NAT Policy with the following settings:

• Original Source: L2TP IP Pool

• Translated Source: WAN Primary IP

• Original Destination: Any

• Translated Destination: Original

• Original Service: Any 

• Translated Service: Original

• Inbound Interface: Any

• Outbound Interface: WAN or X1

• Comment: L2TP Outbound NAT

• Click the Enable NAT Policy checkbox.

• Leave the Create a reflexive policy checkbox disabled.

12. Navigate to the Firewall > Access Rules page. Click the Add.. button to add a new access rule.

13. Add a network access rule with the following settings:

• Action: Allow

• Service: Any

• Source: WAN RemoteAccess Networks

• Destination: Any

• Users Allowed: All

• Schedule: Always on

• Comment: L2TP Internet access

Note         You have now completed the SonicOS configuration.

14. On your Microsoft Windows computer, complete the following L2TP VPN Client configuration to enable secure access:

• Navigate to the Windows > Start > Control Panel > Network Connections.

• Open the New Connection Wizard. Click Next.

• Choose "Connect to the network at my workplace." Click Next.

• Choose "Virtual Private Network Connection." Click Next.

• Enter a name for your VPN connection. Click Next.

• Enter the Public (WAN) IP address of the SonicWALL SuperMassive. Alternatively, you can use a domain name that points to the SonicWALL SuperMassive. Click Next, then click Finish. The connection window will appear. Click Properties.

• Click the Security tab. Click on "IPSec Settings". Enable "Use pre-shared key for authentication". Enter your pre-shared secret. Click OK.

• Click the Networking tab. Change "Type of VPN" from "Automatic" to "L2TP IPSec VPN". Click OK.

• 10) Enter your XAUTH username and password. Click Connect.

15. Verify your Microsoft Windows L2TP VPN device is connected by navigating to the VPN > Settings page. The VPN client is displayed in the Currently Active VPN Tunnels section.

Configuring Google Droid L2TP VPN Client Access

This section provides a configuration example for enabling L2TP client access to the SonicWALL WAN GroupVPN SA using the built-in L2TP Server and Google Droid’s L2TP VPN Client.

To enable Google Droid L2TP VPN Client access to the SonicWALL WAN GroupVPN SA, perform the following steps:

1. Navigate to the VPN > Settings page. For the WAN GroupVPN policy, click the configure icon button.

2. For the General tab, select IKE using Preshared Secret from the Authentication Method pull-down menu. Enter a shared secret passphrase to complete the client policy configuration. And click the OK button.

3. For the Proposals tab for provide the following settings for IKE (Phase 1) Proposal and IPsec (Phase 2) Proposal:

• DH Group: Group 2 

• Encryption: 3DES 

• Authentication: SHA1 

• Life Time (seconds): 28800 

• Protocol: ESP 

• Encryption: DES

• Authentication: SHA1 

• Enable Perfect Forward Secrecy: Enabled

• Life Time (seconds): 28800

4. In the Advanced tab, provide the following settings:

• Enable Windows Networking (NetBIOS) Broadcast: Enabled

• Enable Multicast: Disabled

• Management via this SA: Disabled all

• Default Gateway: 0.0.0.0

• Require authentication of VPN clients by XAUTH: Enabled 

• User group for XAUTH users: Trusted Users

5. In the Client tab, provide the following settings:

• Cache XAUTH User Name and Password on Client: Single Session or Always

• Virtual Adapter setting: DHCP Lease

• Allow Connections to: Split Tunnels

• Set Default Route as this Gateway: Disabled

• Use Default Key for Simple Client Provisioning: Enabled

6. Navigate to the VPN > L2TP Server page. In the L2TP Server Settings section, click the Enable the L2TP Server checkbox. And click the Configure button. The L2TP Server Settings configuration page displays.

7. Provide the following L2TP server settings:

• Keep alive time (secs): 60

• DNS Server 1: 199.2.252.10 (or use your ISP's DNS)

• DNS Server 2: 4.2.2.2 (or use your ISP's DNS)

• DNS Server 3: 0.0.0.0 (or use your ISP's DNS)

• WINS Server 1: 0.0.0.0 (or use your WINS IP)

• WINS Server 2: 0.0.0.0 (or use your WINS IP)

8. Provide the IP address settings:

• IP address provided by RADIUS/LDAP Server: Disabled

• Use the Local L2TP IP Pool: Enabled

• Start IP: 10.20.0.1 (example)

• End IP: 10.20.0.20 (example)

Note         Use any unique private range.

9. In the L2TP Users section, select Trusted Users from the User Group for L2TP Users pull-down menu.

10. Navigate to the Users > Local Users page. Click the Add User button.

11. In the Settings tab, specify a user name and password.

12. In the VPN Access tab, add the desired network address object(s) that the L2TP clients to the access list networks.

Note         At the minimum add the LAN Subnets, LAN Primary Subnet, and L2TP IP Pool address objects to the access list.

Note         You have now completed the SonicOS configuration.

13. On your Google Droid device, complete the following L2TP VPN Client configuration to enable secure access:

• Navigate to the APP page, and select the Settings icon. From the Settings menu, select Wireless & networks.

• Select VPN Settings, and click Add VPN.

• Select Add L2TP/IPSec PSK VPN.

• VPN Name: enter a VPN friendly name

• Set VPN Server: enter the public IP address of SonicWALL SuperMassive

• Set IPSec pre-shared key: enter the passphrase for your WAN GroupVPN policy

• L2TP secret: leave blank

• LAN domain: optional setting

• Enter your XAUTH username and password. Click Connect.

14. Verify your Google Droid device is connected by navigating to the VPN > Settings page. The VPN client is displayed in the Currently Active VPN Tunnels section.