Here in this article we will learn how to configure L2TP VPN between sophos XG firewall and microsoft windows 10 machine.
Configure L2TP Policy In Sophos XG firewall
Login to sophos XG firewall GUI and Click on VPN >> L2TP remote access and then click ADD
Fill the following details in L2TP VPN as per your requirement
Name: Enter any Name for L2TP VPN policy.
Policy: Select VPN policy based on your requirement. This policy describes encryption and hashing algorithms which will be used to establish VPN tunnel securely.
Gateway type option defines action to take when VPN service or firewall restarts. Disable and Respond only are available options
Disable: If the action set to Disable, connection remains inactive until user activates it
Respond only: If the gateway set to respond only, it keeps the connection to respond to any incoming request.
Authentication Details: We can use either preshared key or certificates as authentication method. In this article we will learn how to use preshared key as authentication method.
Local WAN port: Under local WAN port section, select WAN interface of the firewall. In case if you have multiple WAN interfaces in the firewall, select the interface which will be used to connect to the L2TP VPN connection.
Local ID: This is optional field. In case if you have multiple VPN tunnels, this field will be used to differentiate the tunnel connection.
Remote Host: You can specify IP address of the remote end point. In case if yo want to accept from any host leave it as “*”
Allow NAT traversal: Enable NAT traversal to pass through any NAT device.
Remote Subnet: Enter remote subnet from where clients are connecting to L2TP VPN.
Remote ID: Remote ID is optional field will be used to identify VPN tunnels.
Local Port: In place of local port mention 1701 as L2TP VPN will listen on that port.
Remote Port: Remote port will be any random port. It will use TCP or UDP. To keep as any select *.
Disconnect when tunnel is idle: This option will be used to disconnect tunnel when no traffic is passing through tunnel
Idle session time interval: Idle clients will be disconnected after this time.
Sample L2TP Policy Settings:
Configure L2TP VPN In Windows Machine:
As we are using preshared key for establishing L2TP VPN authentication, we need to change default authentication mechanism in windows machine.
Search for “windows firewall with advanced security” as shown in below image
Click on properties option as shown in below image
Click on IPSEC settings and then click on customize
As shown in below image click on advanced then click on customize
Here by default authentication mechanism set to “Kerberos V5” as shown in below image
Remove kerberos and and add authentication method as preshared key as shown in below image
Now click on ok in all the tabs.
Now we need to create L2TP VPN connection in end user machine. Click on the network connections by right clicking on the start option as shown in below image
Then click on VPN tab and then add connection as shown in below image
Now in the same tab, click on ethernet tab and click on adapter options as shown in the below image
Right click on specific L2TP connection and click on properties tab
Click on the security tab and then click on allow these protocols and select Microsoft chap version as shown in below image
Now we are goof to go, we can click on connect to VPN. Before doing that we need to configure L2TP settings in firewall for assigning IP address to client and adding L2TP members.
Click on VPN then click on show VPN settings and click on L2TP as shown in below image
In the same image you can assign IP address to L2TP clients as shown in below image
You can add L2TP members to L2TP VPN by clicking on add members as shown in below image
Once you added VPN members you can go to VPN connections and click on connect as shown in below image
Now L2TP VPN will be connected.
Hope this article helps you.