You are here: Cookbook > VPN > Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN

This example shows how to use L2TP over IPSec VPN to provide remote users (iOS/Android) with access to corporate internal network.

The topology is shown as below. A remote user, located at home or a hotel, accesses the Internet via mobile 3G/4G or Wi-Fi. This remote user (iOS/Android) uses L2TP over IPSec VPN to visit the server (PC1) in the corporate internal network. And this server is protected by the device A.

*Due to lab environment, use 10.10.1.0./24 to represent the public network segment.

The configuration process consists of five parts:

  • Configure basic settings
  • Configure IPSec VPN
  • Configure L2TP VPN
  • Set up a VPN connection in iOS/Android

Configuring Basic Settings

In device A, configure the following settings:

Step 1: Configuring an interface

Configuring the interface connected to the intranet

Select Network > Interface, and double-click ethernet0/1.

  • Binding Zone: Layer 3 Zone
  • Zone: dmz
  • Type: Static IP
  • IP Address: 192.168.1.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click ethernet0/2.

  • Binding Zone: Layer 3 Zone
  • Zone: untrust
  • Type: Static IP
  • IP Address: 10.10.1.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters
Configuring the tunnel interface.

Select Network > Interface > New > Tunnel Interface.

  • Interface name: tunnel1
  • Binding Zone: Layer 3 Zone
  • Zone: trust
  • IP Address: 192.168.3.1
  • Netmask: 255.255.255.0
  • Keep the default of other parameters
Step 2: Configuring a security policy

Configure a security policy that allows the traffic to flow from the Trust zone where the tunnel interface locates to the DMZ zone where the internal server locates.

Select Policy > Security Policy > New.

  • Name: trust_to_dmz
  • Source
    • Zone: trust
    • Address: Any
  • Destination
    • Zone: dmz
    • Address: Any
  • Other
    • Service/Service Group: Any
  • Action: Permit

Configuring IPSec VPN

In device A, configure the following settings:

Step 1: Creating a P1 proposal and a P2 proposal

Click Network > VPN > IPSec VPN. In the P1 Proposal tab, click New.

  • Proposal Name: p1forl2tp
  • Authentication: Pre-share
  • Hash: SHA
  • Encryption: 3DES
  • DH Group: Group2
  • Lifetime: 86400

In the P2 Proposal tab, click New.

  • Proposal Name: p2forl2tp
  • Protocol: ESP
  • HASH: SHA
  • Encryption: 3DES, DES, AES
  • Compression: None
  • PFS Group: No PFS
  • Lifetime: 28800
  • Lifesize: Enable
    • Lifesize: 250000

Step 2: Configuring a VPN peer

Click Network > VPN > IPSec VPN. In the VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

  • Name: toclient
  • Interface: ethernet0/2
  • Mode: Main
  • Type: User Group
  • AAA Server: local
  • Proposal1: p1forl2tp
  • Pre-shared Key: hillstone

In the Advanced tab, configure the following settings:

  • NAT Traversal: Enable
  • Any Peer ID: Enable
  • Keep the default of other parameters

Step 3: Configuring IKE VPN

Click Network > VPN > IPSec VPN. In the IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

  • Peer
    • Peer Name: toclient
  • Tunnel
    • Name: toclienttunnel
    • Mode: transport
    • P2 proposal: p2forl2tp

In the Advanced tab, configure the following settings:

  • Accept-all-proxy-ID: Enable
  • Keep the default of other parameters

Configuring L2TP VPN

In device A, configure the following settings:

Step 1: Creating a L2TP pool

Select Network > VPN > L2TP VPN > Address Pool.

In the Address Pool dialog, click New.

  • Address Pool Name: pool1
  • Start IP: 192.168.3.2
  • End IP: 192.168.3.100
Step 2: Adding a user in the 'local' AAA server

Select Object > User > Local User > New > User.

  • Name: user1
  • Password: hillstone
  • Confirm Password: hillstone
Step 3: Configuring a L2TP VPN instance

Select Network > VPN > L2TP VPN > New.

In the Name/Access User tab, configure the following settings:

  • L2TP VPN Name: l2tpinstance1
  • AAA Server: local
  • Click Add

In the Interface/Address Pool/IPSec Tunnel tab, configure the following settings:

  • Egress Interface: ethernet0/2
  • Tunnel Interface: tunnel1
  • Address Pool: pool1
  • L2TP over IPSec: toclienttunnel

 

Set up a VPN connection in iOS/Android

Take iOS 10 and Android 7 as examples.

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet normally.)

Enter VPN configuration page:

  1. Select Settings > General in your iPhone.

  2. Swipe down and click VPN.
  3. Click Add VPN Configuration…

Configuring VPN properties:

  1. Click Add VPN Configuration on VPN page.
  2. Enter the following configurations on Add Configuration page.

    • Type: Click the drop-down list and select L2TP.
    • Description: Enter the custom name L2TP over IPSec to mark the L2TP connection.
    • Server: 10.10.1.1
    • Account: user1, the login account that has been added in local AAA server
    • Password: hillstone, the corresponding password of the account.
    • Secret: hillstone, the pre-shared key.

  3. Click Done on the top right corner.

Enabling VPN and connect L2TP over IPSec VPN:

  1. Select the configured VPN: L2TP over IPSec.
  2. Swipe the Status button.
  3. After VPN being connected successfully, the status shows Connected and there will appear VPN on the top of screen.
  4. After VPN being connected successfully, you can access the internal server: 192.168.1.2.

 

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet normally.)

Enter the VPN configuration page:

  1. Select Settings > VPN in your Android phone.
  2. Click Add VPN at the bottom of screen.

Configuring VPN properties:

  1. Enter the following configurations on Add VPN page.

    • Enter the custom name L2TP over IPSec to mark the L2TP connection.
    • TYPE: Click the drop-down list and select L2TP/IPSec PSK.
    • Server address: 10.10.1.1
    • IPSec pre-shared key: hillstone
    • Account: user1, the login account that has been added in local AAA server.
    • Password: hillstone, the corresponding password of the account.
  2. Click OK on the top right corner.

Enabling VPN and connect L2TP over IPSec VPN:

  1. Select the configured VPN: L2TP over IPSec.
  2. Swipe the VPN button.
  3. After VPN being connected successfully, the status shows Connected and there will appear a VPN sign on the top screen.
  4. After VPN being connected successfully, you can access the internal server: 192.168.1.2.