You are here: Cookbook > VPN > Allowing Remote Users to Access a Private Network Using L2TP over IPSec VPN

Allowing Remote Users to Access a Private Network Using L2TP over IPSec VPN

This example shows how to use L2TP over IPSec VPN to provide remote users with access to corporate internal network.

The topology is shown as below. A remote user, located at home or a hotel, accesses the Internet through a router with NAT enabled. This remote user uses L2TP over IPSec VPN to visit the server (PC1) in the corporate internal network. And this server is protected by the device A.

*Due to lab environment, use 10.10.1.0./24 to represent the public network segment.

The configuration process consists of five parts:

  • Configure basic settings
  • Configure IPSec VPN
  • Configure L2TP VPN
  • Set up a VPN connection in Windows

  • Adjust whether to use IPSec for L2TP VPN

Configuring Basic Settings

In device A, configure the following settings:

Step 1: Configuring an interface

Configuring the interface connected to the intranet

Select Network > Interface, and double-click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: dmz
  • Type: Static IP
  • IP Address: 192.168.1.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click ethernet0/2.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 10.10.1.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters
Configuring the tunnel interface.

Select Network > Interface > New > Tunnel Interface.

  • Interface name: tunnel1
  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • IP Address: 192.168.3.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters
Step 2: Configuring a security policy

Configure a security policy that allows the traffic to flow from the Trust zone where the tunnel interface locates to the DMZ zone where the internal server locates.

Select Policy > Security Policy > New.

  • Name: trust_to_dmz
  • Source
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: dmz
    • Address: Any
  • Other
    • Service/Service Group: Any
  • Action: Permit

Configuring IPSec VPN

In device A, configure the following settings:

Step 1: Creating a P1 proposal and a P2 proposal

Click Network > VPN > IPSec VPN. In the P1 Proposal tab, click New.

  • Proposal Name: p1forl2tp
  • Authentication: Pre-share
  • Hash: SHA
  • Encryption: 3DES
  • DH Group: Group2
  • Lifetime: 86400

In the P2 Proposal tab, click New.

  • Proposal Name: p2forl2tp
  • Protocol: ESP
  • HASH: SHA
  • Encryption: 3DES
  • Compression: None
  • PFS Group: No PFS
  • Lifetime: 28800
  • Lifesize: Enable
    • Lifesize: 250000

Step 2: Configuring a VPN peer

Click Network > VPN > IPSec VPN. In the VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

  • Name: toclient
  • Interface: ethernet0/2
  • Mode: Main
  • Type: User Group
  • AAA Server: local
  • Proposal1: p1forl2tp
  • Pre-shared Key: hillstone

In the Advanced tab, configure the following settings:

  • NAT Traversal: Enable
  • Any Peer ID: Enable
  • Keep the default of other parameters

Step 3: Configuring IKE VPN

Click Network > VPN > IPSec VPN. In the IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

  • Peer
    • Peer Name: toclient
  • Tunnel
    • Name: toclienttunnel
    • Mode: transport
    • P2 proposal: p2forl2tp

In the Advanced tab, configure the following settings:

  • Accept-all-proxy-ID: Enable
  • Keep the default of other parameters

Configuring L2TP VPN

In device A, configure the following settings:

Step 1: Creating a L2TP pool

Select Network > VPN > L2TP VPN > Address Pool.

In the Address Pool dialog, click New.

  • Address Pool Name: pool1
  • Start IP: 192.168.3.2
  • End IP: 192.168.3.100
Step 2: Adding a user in the 'local' AAA server

Select Object > User > Local User > New > User.

  • Name: user1
  • Password: hillstone
  • Confirm Password: hillstone
Step 3: Configuring a L2TP VPN instance

Select Network > VPN > L2TP VPN > New.

In the Name/Access User tab, configure the following settings:

  • L2TP VPN Name: l2tpinstance1
  • AAA Server: local
  • Click Add

In the Interface/Address Pool/IPSec Tunnel tab, configure the following settings:

  • Egress Interface: ethernet0/2
  • Tunnel Interface: tunnel1
  • Address Pool: pool1
  • L2TP over IPSec: toclienttunnel

 

Setting up a VPN Connection

The steps of setting up a VPN connection differ in different Windows operating systems. Take Windows 7 and Windows XP/2003 for example.

Steps of setting up a VPN connection in Windows XP/2003

Set up a connection:

  1. In Control Panel , double-click Network Connections.
  2. From the Network Tasks pane, Click Create a new connection. The New Connection Wizard dialog appears
  3. In the pop-up dialog, click Next.
  4. Select Connect to the network at my workplace. Then click Next.
  5. Select Virtual Private Network connection. Then click Next.
  6. Enter a name for this connection in the Company Name text box: L2TPoverIPSec. Then click Next.
  7. Enter the IP address of the VPN server: 10.10.1.1. Then click Next.
  8. Click Finish.

Configure the Security properties of this connection:

  1. After you have completed the new connection wizard, the Connect L2TPoverIPSec dialog appears.
  2. Click Properties. The L2TPoverIPSec Properties dialog appears.
  3. Select the Security tab.
  4. Select Advanced (custom settings). Then click Settings. The Advanced Security Settings dialog appears.
  5. In the Data encryption drop-down menu, select Optional encryption (connect even if no encrypting).
  6. In the Logon security section, select Allow these protocols.
  7. Continue to select Unencrypted password (PAP) and Challenge Handshake Authentication Protocol (CHAP).
  8. Click OK to close the Advanced Security Settings dialog and return to the L2TPoverIPSec Properties dialog.
  9. Click IPSec Settings.
  10. Select Use pre-shared key for authentication and enter the pre-shared key hillstone.
  11. Click OK to close the IPSec Settings dialog.

Configure the Networking properties of this connection:

  1. In the L2TPoverIPSec Properties dialog, select the Networking tab.
  2. In the Type of VPN drop-down menu, select L2TP IPSec VPN.
  3. Ensure that you have select the Internet Protocol (TCP/IP) check box.
  4. Click OK to save the configurations.

Connect to the L2TPoverIPSec VPN:

  1. Find the L2TPoverIPSec connection and double-click it.
  2. Enter the user name: user1
  3. Enter the password: hillstone
  4. Click Connect.
  5. After the connection is successful, you can visit the internal server 192.168.1.2

 

 

Steps of setting up a VPN connection in Windows 7

Set up a connection:

  1. Select Control Panel > Network and Internet > Network and Sharing Center.
  2. Click Set up a new connection or network.
  3. In the pop-up dialog, select Connect to a workplace. Then click Next.
  4. Select Use my Internet connection (VPN).
  5. Enter the IP address of the VPN server: 10.10.1.1
  6. Enter the destination name: L2TPoverIPSec
  7. Select Don't connect now; just set it up so I can connect later. Then click Next.
  8. Enter the username: user1
  9. Enter the password: hillstone
  10. Click Creat.
  11. After the connection is ready to use, click Close.

Configure the Security properties of this connection:

  1. In the Network and Sharing Center, click Change adapter settings.
  2. Find the L2TPoverIPSec connection and right-click it.
  3. In the pop-up menu, select Properties. The L2TPoverIPSec Properties dialog appears.
  4. Select the Security tab.
  5. In the Type of VPN drop-down menu, select Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
  6. Click Advanced settings, select Use preshared key for authentication, then enter the key hillstone.
  7. In the Data encryption drop-down menu, select Optional encryption (connect even if no encryption).
  8. In the Authentication section, select Allow these protocols and then select Unencrypted password (PAP) and Challenge Handshank Authentication Protocol (CHAP).

Configure the Networking properties of this connection:

  1. In the L2TPoverIPSec Properties dialog, select the Networking tab.
  2. Ensure that you have select the Internet Protocol Version 4 (TCP/IPv4) check box.
  3. Click OK to save the configurations.

Connect to the L2TPoverIPSec VPN:

  1. Find the L2TPoverIPSec connection and double-click it.
  2. Enter the password: hjllstone
  3. Click Connect.
  4. After the connection is successful, you can visit the intranet server 192.168.1.2

 

 

Adjusting Whether to Use IPSec for L2TP VPN

By default, the L2TP VPN is required by Windows to use IPSec. For the above L2TP over IPSec VPN, you do not need to modify the system's registry.

If the system has disabled IPSec, take the following steps to make the system use L2TP over IPSec:

Enable IPSec
  1. Select Start > Run.
  2. In Run, enter regedit.
  3. Click OK
  4. Navigate to HKEY_Local_Machine\System\CurentControl Set\Services\RasMan\Parameters.
  5. In the right pane, find the entry ProhibitIPSec whose type is REG_DWORD.
  6. Double-click this entry and modify the value in the Value data text box to 0.
    • 0 represents that the system enables IPSec.
    • 1 represents that the system disables IPSec.
  7. Save the modifications and restart the system.