Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=L2TPConnectionEdit

Create an L2TP remote access connection

You want to create a remote access L2TP connection.

Introduction

To create the L2TP connection, do as follows:

  • Turn on L2TP VPN connections, and specify your settings.
  • Create your L2TP policy.
  • Create a firewall rule to allow inbound VPN traffic.

Create an L2TP connection

  1. Go to VPN > Show VPN settings.

    Show VPN settings link

  2. Select the L2TP tab and select Enable L2TP.

    L2TP tab

  3. Specify the general settings:

    Name Description
    Assign IP from Enter the IP address range to lease.
    Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client This setting is optional.

    Select this if you want to lease IP addresses through RADIUS.

  4. Specify the client information:

    Name Description
    Primary DNS server Select a DNS server from the drop-down list, or specify the DNS server by selecting Other and typing the server's address.
    Secondary DNS server This setting is optional.

    Select a DNS server from the drop-down list, or specify the DNS server by selecting Other and typing the server's address.
    Primary WINS server This setting is optional.

    Enter the IP address of your primary WINS server.
    Secondary WINS server This setting is optional.

    Enter the IP address of your secondary WINS server.

  5. Click Add members at the bottom of the page.

    Add members button

  6. Select your users and groups, then click Add.

    Screen showing the users and groups you can select

  7. Click Apply.
    The following image shows example settings.

    Example L2TP general settings and client information

Create an L2TP policy

  1. Go to VPN > L2TP (remote access) and click Add.
  2. Enter a name.

  3. Specify the general settings:

    Name Description
    Policy IPsec policy to use for the traffic.
    Gateway type Action to take when the VPN service or the firewall restarts:
    Disable: Connection remains inactive until a user activates it.
    Respond only: Keeps the connection ready to respond to any incoming request.

  4. Specify authentication settings.

    Name Description
    Authentication type Authentication to use for the connection.
    Preshared key: Authenticates endpoints using the secret known to both endpoints.

    Digital certificate: Authenticates endpoints by exchanging certificates (locally-signed or issued by a certificate authority).

  5. Specify local network details.

    Name Description
    Local WAN port Select a WAN port, which acts as the endpoint for the tunnel.
    Local ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

  6. Specify remote network details.

    Name Description
    Remote host IP address or hostname of the remote endpoint.(To specify any IP address, type “*”.)
    Allow NAT traversal Enable NAT traversal if a NAT device exists between your endpoints, that is, when the remote peer has a private or non-routable IP address.
    Remote subnet Remote networks to which you want to provide access.
    Remote ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

  7. Specify quick mode selectors.

    Name Description
    Local port Port that the local peer uses for TCP or UDP traffic.(To specify any port, type *.)
    Remote port Port that the remote peer uses for TCP or UDP traffic.(To specify any port, type *.)

  8. Specify the advanced settings:

    Name Description
    Disconnect when tunnel is idle Disconnects idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which the firewall disconnects idle clients.

  9. Click Save.
    The following images show example settings.

    Example L2TP settings

    Example L2TP settings

  10. Click the red icon under the Active column to start the connection. Once connected, it'll show up as green.
    Here's an example:

    VPN connection status showing as connected

To configure an L2TP connection on Windows 10, see Configure an L2TP connection for Windows 10.

Set route precedence

The default route precedence is static routes, followed by SD-WAN policy routes, then VPN routes. To establish an L2TP connection, VPN routes must come first, followed by static routes and SD-WAN policy routes in any order.

  1. Sign in to the firewall's CLI.
  2. Enter 4 to select Device Console.
  3. Run system route_precedence set vpn static sdwan_policyroute.
  4. Run system route_precedence show to check that VPN routes come first.

Create a firewall rule

  1. Go to Rules and policies > Firewall rules. Select IPv4 protocol and select Add firewall rule. Select New firewall rule.

  2. Configure the rule as follows:

    Name Description
    Rule name VPN-LAN
    Source zones VPN
    Source networks and devices Any
    Destination zones LAN
    Destination networks Any
    Services Any

    Here's an example:

    Example firewall rule settings

  3. Click Save.
    To allow the remote host to access the internet through Sophos Firewall, create a firewall rule with VPN as the source zone and WAN as the destination zone.

More resources