Setting up cOS Core as an L2TP/IPsec client

Last modified on 8 Mar, 2023. Revision 15
This article will give a short description on how to set up and use a NetWall firewall as a client in order to connect to an L2TP/IPsec server.
Up to date for
cOS Core 14.00.08
Supported since
cOS Core 12.00.xx
Status LEGACY
Author
Peter Nilsson

Description

L2TP over IPsec requires an IPsec tunnel that encapsulates the L2TP data when it is transported over an insecure network. This means that the IPsec tunnel will be established first, then the L2TP tunnel will be established inside the IPsec tunnel. This article provides an explanation of how to set up cOS Core to act as a client for an L2TP/IPsec tunnel connection. However, the following points should be noted:

  • L2TP/IPsec is no longer recommended for use (since Jan 2023) as many of the default ciphers are now not recommended (such as MD5 and SHA1) and could pose a security risk. Unless the option exists to select and use stronger ciphers, it is recommended to instead use a normal IKEv2 IPsec tunnel. The use of double-encapsulation (L2TP inside an IPsec tunnel) also causes more overhead and only a maximum MTU of 1376 can be used which results in lower performance and potential fragmentation.
  • When the L2TP client receives an IP address from the server IP pool, it will cause the cOS Core to initiate a reconfigure (similar to DHCP client).
  • If no specific/option setting is mentioned, the default value should be used.

Setting up the IPsec interface

Name: IPsec_For_L2TP
IKE Version: IKEv1 (Important)
Encapsulation Mode: Transport (important)
Remote Endpoint: Server_IP (L2TP/IPsec server IP)
Authentication: PSK or Certificate
IKE and IPsec Algorithms: If possible, we recommend choosing safe proposals such as SHA256 and AES256. (you will need to match the algorithms used by the L2TP Server).
Add Route Dynamically: Disabled
Add Route Statically: Disabled

* *

Note: Local Network and Remote Network is not applicable when Transport mode is used. The IPv4 address all-nets (0.0.0.0/0) is not used even though it looks that way visually when examining the IPsec tunnel summary (above).

Setting up the L2TP client interface

Name: L2TP _Client
Tunnel Protocol: L2TP
Remote Endpoint: Server_IP (same IP/object as used on the IPsec tunnels Remote Endpoint).
Remote Network: RemoteNetWork (this is the network we want to access beyond the L2TP client tunnel).
Authentication: Here we enter the username and password for a user on the L2TP Server.
Under the Security tab: Select the IPsec interface created earlier.
Note: Keep the “Statically Add Route” option enabled
MTU: 1376

IP Policies to allow traffic to and from the network(s) behind the L2TP server

This IP policy allows traffic to be sent to the network(s) behind the L2TP server. If traffic is allowed to be initiated in the other direction, another IP policy for that would be needed.
Name: To_L2TP_RemoteNetWork
Action: Allow
Source Interface: If2
Source Network: If2_net
Destination Interface: L2TP_Client
Destination Network: RemoteNetWork
Service: all_services

Note the following:

  • Make sure that the destination interface is the L2TP_Client interface and NOT the IPsec tunnel (this is a common setup mistake).
  • NAT will most likely be needed (depending on how the server is configured) since the server would most likely not accept incoming traffic from the client's local network range.

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Setting up OSPF with IPsec in cOS Core
21 Dec, 2023 core routing ospf ipsec
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover