Creating an L2TP Roadwarrior Connection
Note: This topic applies to the Hearst Release.
Note: A Unified Threat Management serial is required to configure VPNs. For more information, contact your Smoothwall representative.
L2TP connections have the following features:
| | All connections share the same, globally specified subnet |
| | Mostly supported by Microsoft operating systems |
| | Very easy to configure |
Configuring an L2TP Roadwarrior Connection
Typically, you create a separate connection for each roadwarrior on your network.
To create an external L2TP roadwarrior connection, do the following:
| 1. | Create a certificate for each roadwarrior user — Managing Certificates . Typically, the certificate includes the user’s email address as the ID type. |
| 2. | If preshared key authentication is required for this VPN, go to Network > VPN > Global, else skip to step 5. |
| 3. | From the IPSec Road Warrior (and L2TP) Preshared Key panel, configure the following: |
| • | Preshared Key — Enter the key required for authentication. |
| • | Again — Re-enter the preshared key. Do not copy and paste from the previous field. |
| 4. | Click Save. |
| 5. | Go to Network > VPN > Global. |
| 6. | Scroll down to the L2TP and SSL VPN client configuration settings panel. |
| 7. | Configure the following: |
| • | Primary DNS — Configure the primary DNS gateway for all connected L2TP roadwarriors to use. |
| • | Secondary DNS — Configure the secondary DNS gateway for all connected L2TP roadwarriors to use. |
| • | Primary WINS — If required, configure the primary Windows Internet Name Service (WINS) for all connected L2TP roadwarriors to use. |
| • | Secondary WINS — If required, configure the secondary WINS for all connected L2TP roadwarriors to use. |
| 8. | Scroll down to the L2TP settings panel. |
| 9. | Configure the following: |
| • | L2TP client internal interface — From the drop-down list, select the internal network interface that all L2TP roadwarriors are connected to. |
| 10. | Click Save. |
| 11. | Go to Network > VPN > L2TP roadwarriors. |
| 12. | Configure the following: |
| • | Name — Configure a meaningful name for this roadwarrior connection. |
| • | Enabled — New connections are enabled by default. Clear the check box to create a disabled connection. |
| • | Local IP — From the drop-down list, select the local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though it is possible to select a Basic interface to create an internal tunnel. |
| • | Client IP — Enter a valid client IP address for this roadwarrior tunnel. |
| • | Username — Enter the username required for access to this roadwarrior tunnel. |
| • | Password — Enter the password required for access to this roadwarrior tunnel. |
| • | Again — Re-enter the password. Do not copy and paste it from Password. |
| • | Authenticate by — From the drop-down list, select the authentication method: |
|
Authentication Method |
Description |
|
Certificate presented by peer |
Use a certificate created by a different Certificate Authority. Authenticating by a named certificate is recommended for easier management. |
|
Preshared key |
Use the global preshared key defined in step 3. |
| • | L2TP client OS — From the drop-down list, select the L2TP client’s operating system. Valid values are: Microsoft, Android or iOS. |
| • | Comment — Configure an optional comment for this VPN. |
| 13. | Click Advanced. |
| 14. | Configure the following: |
| • | Local certificate — If non-standard X509 authentication is used for this VPN, choose the local certificate from the drop-down list. For more information, see Using Multiple Local Certificates . |
| 15. | Click Add. |
Example iPhone-Compatible Tunnel Configuration
The Smoothwall enables you to configure iPhone-compatible tunnels. Configuring an iPhone-compatible tunnel entails:
| | setting a preshared key and configuring DNS and interface settings on the Network > VPN > Global page |
| | creating the tunnel on the Network > VPN > L2TP roadwarriors page. |
Note: Before you start, please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses, including IPSec and L2TP roadwarriors, must use the same authentication method, and, in the case of PSK, the same secret.
In practice, this means that if you want to create a tunnel between an iPhone-compatible device and the Smoothwall, you must:
not have any L2TP or IPSec roadwarriors, as they use certificates for authentication
not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone-compatible device.
To configure an iPhone-compatible tunnel:
| 1. | On the Network > VPN > Global page, configure the following settings: |
|
Setting |
Description |
|
IPSec Road Warrior (and L2TP) Preshared Key |
Preshared key – Enter a strong password which contains more than 6 characters. Again – Re-enter the password to confirm it. |
|
L2TP and SSL VPN client configuration settings |
Enter the primary and secondary DNS settings. |
| 2. | Click Save. |
| 3. | Go to the Network > VPN > L2TP roadwarriors page and configure the following settings: |
|
Setting |
Description |
|
Name |
Enter a descriptive name for the tunnel. For example: CEO's iPhone. |
|
Enabled |
Select to activate the tunnel once it has been added. |
|
Local IP |
Select the external IP address to use for this tunnel. |
|
Client IP |
Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. |
|
Username |
Enter a username for this connection. |
|
Password |
Enter a password for the tunnel. |
|
Again |
Re-enter the password to confirm it. |
|
Comment |
Optionally, enter a description of the tunnel. |
|
Authenticate by |
Preshared key (iPhone compatible) – Select this option to use the preshared key entered in step 1. |
|
L2TP client OS |
From the drop-down list, select Apple (iPhone compatible). |
| 4. | Click Add. The Smoothwall creates the tunnel and lists it in the Current tunnels area. |
| 5. | On the iPhone-compatible device, go to Settings > General > Network > VPN. |
| 6. | Select Add VPN Configuration and configure the following settings: |
|
Setting |
Description |
|
Description |
Enter a description for the tunnel. |
|
Server |
Enter the Smoothwall’s external IP address. |
|
Account |
Enter the username as entered in step 3. |
|
RSA SecurID |
Set to OFF. |
|
Password |
Enter the password as entered in step 3. |
|
Secret |
Enter the PSK as configured in step 1. |
|
Send All Traffic |
Set to ON on for routing to other VPNs. |
|
Proxy |
Set to OFF. |
| 7. | Select Save to save the tunnel configuration. The tunnel is now ready for use. |
Secure Internal Networking
An internal VPN capability can be useful in many situations, a few examples of typical scenarios are given below:
| | Secure wireless access – Commonly used wireless access protocols offer relatively weak levels of security, thus allowing potential intruders to directly access and intercept confidential data on an organization’s internal network. The Smoothwall can ensure secure wireless access by providing an additional interface as an internal VPN gateway. By attaching a wireless access point to this interface, wireless clients can connect and create a secure tunnel to the desired internal network. Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access to any network resource. |
| | Hidden network access – It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network. |
There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.
To create an internal L2TP VPN connection:
| 1. | Go to the Network > VPN > Global page. |
| 2. | In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an internal network interface. |
| 3. | For further VPN settings, optionally, click Advanced at the bottom of the page. |
| 4. | From the Advanced panel, configure the following: |
| • | Enable NAT-Traversal — NAT-T is enabled by default and allows IPSec clients to connect from behind NAT-ing devices. |
In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled.
| • | Enable Dead Peer Detection — Used to activate a keep-alive mechanism on tunnels that support it. |
This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page.
If this feature is not used, it can take any time up to the re-keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default.
In setups consisting exclusively of Smoothwall VPN gateways, it is recommended that this feature is enabled.
| • | Copy TOS (Type Of Service) bits in and out of tunnels — When selected, TOS bits are copied into the tunnel from the outside as VPN traffic is received, and conversely in the other direction. This makes it possible to treat the TOS bits of traffic inside the network (such as IP phones) in traffic shaping rules within Traffic and traffic shape them. |
If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic.
Note that there is a theoretical possibility that enabling this setting can be used to spy on traffic
| 5. | Click Save. |
Note: We recommend you limit any zone bridging from the nominated interface to other interfaces.
Tunnels connecting to the nominated additional interface are assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region.
If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness.
| 6. | Create a certificate for the L2TP client — see Managing Certificates . |
| 7. | Go to Network > VPN > L2TP roadwarriors. |
| 8. | From the Create new tunnel panel, configure the following: |
| • | Name — Configure a meaningful name for this tunnel. |
| • | Enabled — New tunnels are enabled by default. Clear the check box to create a disabled tunnel. |
| • | Local IP — Select the external IP address to use for this tunnel. |
| • | Client IP — Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. |
| • | Username — Enter a username for this connection. |
| • | Password — Enter a password for the connection. |
| • | Again — Re-enter the password to confirm it. |
| • | Authenticate by — To dedicate this connection to a specific user, choose the user’s certificate from the drop-down list. |
To allow any valid certificate holder to use this tunnel, choose Certificate presented by peer.
If your organization anticipates supporting many roadwarrior connections, authenticating by a specific certificate is recommended for ease of management.
| • | L2TP client OS — From the drop-down list, select the L2TP client's operating system. |
| • | Comment — Enter an optional description of the tunnel. |
| 9. | Click Advanced and, from the Local certificate drop-down list, select Default. |
| 10. | Click Add. The Smoothwall lists the tunnel in the Current tunnels area. |
To configure client access to the L2TP tunnel, see Using the Smoothwall L2TP Client .
Using the Smoothwall L2TP Client
To connect to an L2TP tunnel, a roadwarrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle.
The first step in the connection process is to run the L2TP Client Wizard.
Note:
To install the L2TP client:
| 1. | Run the L2TP Client Wizard on the roadwarrior system. |
| 2. | View the license and click Next to agree to it. |
| 3. | Click Browse and open the Certificate Authority certificate file as exported during the certificate creation process. Click Next. |
| 4. | Click Go to locate and select the roadwarrior's host certificate file. This must be a PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next. |
| 5. | Ensure that the Launch New Connection Wizard option is selected and click Install. |
| 6. | The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched. |
| 7. | Click Next. |
| 8. | Select Connect to the network at my workplace and click Next. |
| 9. | Select Virtual Private Network connection and click Next. |
| 10. | Enter a name for the connection and click Next. |
| 11. | Enter the Smoothwall’s host name or IP address and click Next. |
| 12. | Click Finish. |
| 13. | In the Connect window, enter the username and password of the roadwarrior and click Connect. Ensure that the tunnel is enabled. |
Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. Only UDP port 500, UDP port 4500, and ESP should flow from the roadwarrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted.