Introduction

This document explains how to configure L2TP Client access to the SonicWALL GroupVPN SA using the built-in L2TP Server and Microsoft's L2TP VPN Client. Access will be granted to the LAN behind the SonicWALL security appliance for L2TP client users, and all Internet traffic for these users will also be routed through the VPN tunnel. This is not a split tunnel configuration. This guide is for SonicOS Enhanced 2.x, 3.x, 4.x and 5.x firmware. The guide is intended for Microsoft Windows XP Service Pack 2 (SP2) users. Non-SP 2 or SP1 users may not be able to use this guide, as Microsoft has recently updated the L2TP client.

SonicWALL Appliance Configuration

Follow these steps to configure the SonicWALL security appliance to accept the L2TP connection:

Step 1: Select Network > Address Objects.

Step 2: Add the following address object:

• Name: 'L2TP Subnet'
• Type: Network
• Network: 10.10.50.0 (The Class C network address of your L2TP Pool)
• Netmask: 255.255.255.0
• Zone Assignment: VPN

Step 3: Select Users > Settings and make the following configuration change:

• Authentication Method: RADIUS + Local Users

Step 4: Select VPN > L2TP Server, enable the L2TP Server, click Configure and set the options as follows:

• Keep alive time (secs): 60
• DNS Server 1: 4.2.2.2 (or use your ISP's DNS)
• DNS Server 2: 4.2.2.1 (or use your ISP's DNS)
• DNS Server 3: 0.0.0.0 (or use your ISP's DNS)
• WINS Server 1: 0.0.0.0 (or use your WINS IP)
• WINS Server 2: 0.0.0.0 (or use your WINS IP)
• IP address provided by RADIUS/LDAP Server: Disabled
• Use the Local L2TP IP Pool: Enabled
• Start IP: 10.10.50.10 *EXAMPLE*
• End IP: 10.10.50.20 *EXAMPLE* Note: Use any unique private range.
• User Group for L2TP Users: Trusted Users or Everyone

Step 5: Select Users > Local Users.

Step 6: Add a user and add these objects to the VPN Access list:

• L2TP Subnet
• WAN RemoteAccess Networks
• LAN Primary IP
• LAN Subnets

NOTE: Alternatively, you can add these networks to the Everyone or Trusted Users Group. Also, add any other Address Objects to which you require access.

Step 7: Select Network > NAT Policies and add a NAT Policy with these settings:

• Original Source: L2TP Subnet
• Translated Source: WAN Primary IP
• Original Destination: Any
• Translated Destination: Original
• Original Service: Any
• Translated Service: Original
• Inbound Interface: Any
• Outbound Interface: WAN or X1
• Comment: L2TP Client NAT
• Enable NAT Policy: Enabled
• Create a reflexive policy: Disabled

Step 8: Select VPN > Settings and configure the WAN GroupVPN policy with the following settings:

General tab:

• Enter a Shared Secret.

Proposals tab:

• IKE (Phase 1) Proposal
• DH Group: Group 2
• Encryption: 3DES
• Authentication: SHA1
• Life Time (seconds): 28800
• IPSec (Phase 2) Proposal
• Protocol: ESP
• Encryption: 3DES
• Authentication: SHA1
• Enable Perfect Forward Secrecy (PFS): Disabled (Optional)
• DH Group: Disabled (Not applicable if PFS is disabled)
• Life Time (seconds): 28800

Advanced tab:

• Enable Windows Network (NetBIOS) Broadcast: Enabled (Optional)
• Enable Multicast: Disabled (Optional)
• Management via this SA:
• HTTP: Enabled (Optional)
• HTTPS: Enabled (Optional)
• Default LAN Gateway: Public (WAN) IP of the SonicWALL.
• Require Authentication of VPN Clients via XAUTH: Enabled
• User Group for XAUTH Users: Trusted Users or Everyone
• Allow Unauthenticated VPN Client Access: Disabled

Client tab:

• Cache XAUTH User Name and Password on Client: Always
• Virtual Adapter settings: DHCP Lease
• Allow Connections to: "This Gateway only" or "All Secured Gateways" (if you need access to site-to-site VPN's).
• Set Default Route as this Gateway: Enabled
• Require Global Security Client for this Connection: Disabled
• Use Default Key for Simple Client Provisioning: Disabled

Step 9: Select VPN > DHCP over VPN, choose Central Gateway, click Configure and make the following adjustments:

• Use Internal DHCP Server: Enabled
• For Global VPN Client: Enabled
• For Remote Firewall: Disabled
• Send DHCP requests to the server address listed below: Disabled
• Relay IP Address (Optional): 0.0.0.0

Step 10: Select Firewall > Access Rules and Add this VPN to WAN rule:

• From Zone: VPN
• To Zone: WAN
• Source: WAN Remote Access Networks
• Destination: Any
• Service: Any
• Action Allow
• Users: All

Notes:

• Microsoft Windows XP Service Pack (SP) 2 L2TP clients will not be able to connect with the SonicWALL’s L2TP server if the appliance is behind a NAT device. See the Microsoft Knowledge Base article 885407 entitled The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2 for a System Registry modification that reverses this situation.
• The L2TP client in Windows XP Service Pack 2 utilizes an updated NAT Traversal implementation (NAT-T v2) which is not currently supported on SonicOS Standard firmware.

The SonicWALL portion of the configuration is complete.

L2TP Client Configuration

Follow these steps to configure the L2TP client on Microsoft Windows XP Professional, Service Pack 2:

1. Go to the Control Panel.
2. Go to Network Connections.
3. Open the New Connection Wizard. Click Next.
4. Choose "Connect to the network at my workplace." Click Next.
5. Choose "Virtual Private Network Connection." Click Next.
6. Enter a name for your VPN connection. Click Next.
7. Enter the Public (WAN) IP address of the SonicWALL. Alternatively, you can use a domain name that points to the SonicWALL. Click Next, then click Finish. The connection window will appear. Click Properties.
8. Go to the Security tab. Click on "IPSec Settings". Enable "Use pre-shared key for authentication". Enter your pre-shared secret. Click OK.
9. Go to the Networking tab. Change "Type of VPN" from "Automatic" to "L2TP IPSec VPN". Click OK.
10. Enter your XAUTH username and password. Click Connect.

Once the connection has been established, Internet access should be available. Access to the internal network will also be available.