L2TP over IPsec
This is an example of L2TP over IPsec.
This example uses a locally defined user for authentication, a Windows PC or Android tablet as the client, and net‑device
is set to enable
in the phase1‑interface
settings. If net-device
is set to disable
, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.
To configure L2TP over an IPsec tunnel using the GUI:
- Go to VPN > IPsec Wizard.
- Enter a VPN Name. In this example, L2tpoIPsec.
- Configure the following settings for VPN Setup:
- For Template Type, select Remote Access.
- For Remote Device Type, select Native and Windows Native.
- Click Next.
- Configure the following settings for Authentication:
- For Incoming Interface, select port9.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter your-psk as the key.
- For User Group, select L2tpusergroup
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select port10.
- Configure the Local Address as 172.16.101.0.
- Configure the Client Address Range as 10.10.10.1-10.10.10.100.
- Leave the Subnet Mask at its default value.
- Click Create.
To configure L2TP over an IPsec tunnel using the CLI:
- Configure the WAN interface and static route on HQ.
config system interface edit "port9" set alias "WAN" set ip 22.1.1.1 255.255.255.0 next edit "port10" set alias "Internal" set ip 172.16.101.1 255.255.255.0 next end config router static edit 1 set gateway 22.1.1.2 set device "port9" next end
- Configure IPsec phase1-interface and phase2-interface on HQ.
config vpn ipsec phase1-interface edit "L2tpoIPsec" set type dynamic set interface "