L2TP - Connections

Layer Two Tunneling Protocol (L2TP) is easy to use yet offers high security. The L2TP protocol is normally used over the IPSec protocol to ensure high security.

Add connection - press this button to create a new, empty connection. Configure the connection before usage.

Configured connections

Name/comment - descriptive note used for easier future references.
Remote gateway - global IP address of peer to connect to, or "0.0.0.0" to allow connection from any address.
Direction:
Initiator = VPN client: this unit shall initiate VPN connection as soon as power is turned on, or manually.
Responder = VPN server: this unit shall listen and wait for remote peers to connect to it.
Initiator and responder = both: this unit tries to initiate a VPN connection to the remote peer, but also answers if that remote peer happens to initiate a connection first.

User - Login name of user that uses this connection.










L2TP - VPN connection settings

Name/comment - descriptive note used for easier future references.

Enable this connection - remove mark to temporarily disable a connection without deleting it.
Act as:
Initiator = VPN client: this unit shall initiate VPN connection as soon as power is turned on, or manually.
Responder = VPN server: this unit shall listen and wait for remote peers to connect to it.
Initiator and responder = both: this unit tries to initiate a VPN connection to the remote peer, but also answers if that remote peer happens to initiate a connection first.

LAC/LNS mode - The role of a gateway is either LAC or LNS and must be opposite to the remote peer setting:
normal (recommended) will let an initiator take the LAC role and a responder the LNS role.
inverted may be neccessary with certain types of remote gateways, try that if "normal" doesn't work.

Remote gateway IP address - global IP address of peer to connect to, or "0.0.0.0" to allow connection from any address.


Initiator settings

User name / Password - Identification used when connecting to remote peer. Not used when "Act as" is set to "Responder".
Authentication type - Protocol used for user authenticatation.
Can be none, PAP (Password Authentication Procedure), CHAP (Challenge-Handshake Authentication Protocol) or both (recommended). CHAP is more secure than PAP.
Connect automatically - Mark checkbox (default) to establish L2TP connection automatically when WAN is connected. If unmarked you must manually go to L2TP status page and click "Connect" to establish connection.


Responder settings

User name / Password - Identification remote peer must use when connecting to this unit. Not used when "Act as" is set to "Initiator".
Authentication type - Protocol used for user authenticatation.
Can be none, PAP (Password Authentication Procedure), CHAP (Challenge-Handshake Authentication Protocol) or both (recommended). CHAP is more secure than PAP.


Remote Network - IP and mask describing the network behind the peer at the other end of the VPN connection - the LAN you want to reach. Leave blank if the remote peer is a single computer (like Windows VPN client).


L2TP over IPSec settings

Enable L2TP over IPSec - Normally (and for Windows VPN clients) the L2TP is run on top of the IPSec protocol. Uncheck this if you want a "clean" L2TP without IPSec, in which case none of the settings in this grey box have any consequence.

Identities:
Id type - This gateway can identify itself either by its IP Address or by some field of its certificate. Domain name, E-mail (user DN), ASN.1 Dist. name are different fields of a certificate. The selected ID type must correspond to what the peer expects to see. ASN.1 Distinguished name is the most common when using certificates, IP address otherwise. The same goes for the ID type of the remote gateway.
Certificate - If certificates shall be used for identification, select the one to be used from the list of available certificates.
Id if no certificate - If "none" was selected as certificate, enter the ID here instead. If "IP address" was selected as ID type enter a global IP address, or leave this field empty to automatically use your unit's own global IP address. For the remote gateway ID, if ID type is "IP address", an empty field or "0.0.0.0" accepts all IP addresses.


Key exchange (IKE)
If connecting to Windows clients, use the default settings below. Only the authentication mode and pre-shared key may have to be set.

IKE phase1 mode - During the initial security association establishment, one can select between Main mode (a little more secure and requires two more message exchanges) and Aggressive mode (a little less secure but faster, the identities are not protected).

Authentication
Mode - RSA or DSS signatures are used with certificates, pre-shared key otherwise.
Algorithm - Algorithm used to hash the authentication information. Though SHA1 is considered safer, MD5 is more commonly used.
DH group - The Diffie-Hellman group to be used for this preference. The choices available are listed in increasing security but decreasing performance order in the dropdown list.

Encryption Algorithm - Algorithm used to encrypt the exchange of the randomly generated encryption keys to be used in the connections for data-traffic. The choices available are listed in increasing security but decreasing performance order in the dropdown list.

Life time - A new IKE key exchange is performed after the specified time has passed.

Pre-shared key - if "Pre-shared key" was selected in Authentication Mode: At least 16 preferably random characters, not known by anyone else but you and the remote gateway.


Security algorithms (IPSec)

Authentication - can use AH (Authentication Header) or ESP (Encapsulating Security Payload) protocol.
AH cannot be used if any of ESP authentication or encryption is used. Though SHA1 is considered safer, MD5 is more commonly used.
Encryption - (optional but recommended) is always using the ESP protocol. The choices available are listed in increasing security but decreasing performance order in the dropdown list.
Life time - A new IKE key exchange is performed after the specified time has passed or the specified kilobytes of data has been transferred, whichever occurs first.


L2TP tunnel advanced settings

Local PPP virtual interface - The connection uses a virtual PPP (Point-to-Point Protocol) interface with the specified IP address and mask.
NOTE: The virtual interface must be on a unique subnet not used by any of the other interfaces!
Remote PPP virtual interface - The virtual interface on the remote peer. Not used when "Act as" is set to "Initiator".
Inactivity time - Disconnect if no traffic is exchanged within this time.
Keep alive time - Send keep-alive (dummy) packets to the remote peer with this interval to avoid disconnection due to inactivity.
TCP MSS (Maximum Segment Size) adjustment - Having correct MSS avoids fragmentation, and that increases performance. You are recommended to enable it, and leave the MSS value empty allowing usage of an automatic value suitable for most cases.
If TCP MSS is not enabled you may need to configure MSS manually on the hosts that use this tunnel.



NOTE! Press "Save" after your settings!

Copy - Copy current settings into a temporary clipboard memory.
Paste - Retrieve settings previously copied into the temporary clipboard memory.