L2TP over IPsec

This is an example of L2TP over IPsec.

This example uses a locally defined user for authentication, a Windows PC or Android tablet as the client, and net‑device is set to enable in the phase1‑interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

To configure L2TP over an IPsec tunnel using the GUI:
  1. Go to VPN > IPsec Wizard.
  2. Enter a VPN Name. In this example, L2tpoIPsec.
  3. Configure the following settings for VPN Setup:
    1. For Template Type, select Remote Access.
    2. For Remote Device Type, select Native and Windows Native.
    3. Click Next.
  4. Configure the following settings for Authentication:
    1. For Incoming Interface, select port9.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. For User Group, select L2tpusergroup
    5. Click Next.
  5. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select port10.
    2. Configure the Local Address as 172.16.101.0.
    3. Configure the Client Address Range as 10.10.10.1-10.10.10.100.
    4. Leave the Subnet Mask at its default value.
    5. Click Create.
To configure L2TP over an IPsec tunnel using the CLI:
  1. Configure the WAN interface and static route on HQ.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end   
  2. Configure IPsec phase1-interface and phase2-interface on HQ.
    config vpn ipsec phase1-interface
        edit "L2tpoIPsec"
            set type dynamic
            set interface "