Setting up cOS Core as an L2TP/IPsec client

Last modified on 8 Mar, 2023. Revision 15
This article will give a short description on how to set up and use a NetWall firewall as a client in order to connect to an L2TP/IPsec server.
Up to date for
cOS Core 14.00.08
Supported since
cOS Core 12.00.xx
Peter Nilsson


L2TP over IPsec requires an IPsec tunnel that encapsulates the L2TP data when it is transported over an insecure network. This means that the IPsec tunnel will be established first, then the L2TP tunnel will be established inside the IPsec tunnel. This article provides an explanation of how to set up cOS Core to act as a client for an L2TP/IPsec tunnel connection. However, the following points should be noted:

Setting up the IPsec interface

Name: IPsec_For_L2TP
IKE Version: IKEv1 (Important)
Encapsulation Mode: Transport (important)
Remote Endpoint: Server_IP (L2TP/IPsec server IP)
Authentication: PSK or Certificate
IKE and IPsec Algorithms: If possible, we recommend choosing safe proposals such as SHA256 and AES256. (you will need to match the algorithms used by the L2TP Server).
Add Route Dynamically: Disabled
Add Route Statically: Disabled

* *

Note: Local Network and Remote Network is not applicable when Transport mode is used. The IPv4 address all-nets ( is not used even though it looks that way visually when examining the IPsec tunnel summary (above).

Setting up the L2TP client interface

Name: L2TP _Client
Tunnel Protocol: L2TP
Remote Endpoint: Server_IP (same IP/object as used on the IPsec tunnels Remote Endpoint).
Remote Network: RemoteNetWork (this is the network we want to access beyond the L2TP client tunnel).
Authentication: Here we enter the username and password for a user on the L2TP Server.
Under the Security tab: Select the IPsec interface created earlier.
Note: Keep the “Statically Add Route” option enabled
MTU: 1376

IP Policies to allow traffic to and from the network(s) behind the L2TP server

This IP policy allows traffic to be sent to the network(s) behind the L2TP server. If traffic is allowed to be initiated in the other direction, another IP policy for that would be needed.
Name: To_L2TP_RemoteNetWork
Action: Allow
Source Interface: If2
Source Network: If2_net
Destination Interface: L2TP_Client
Destination Network: RemoteNetWork
Service: all_services

Note the following:

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Partial split tunneling when using Windows L2TP/IPsec
27 Jan, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover