UTM: Configuring L2TP Server on SonicOS Enhanced (SW5378)

  • Title

    UTM: Configuring L2TP Server on SonicOS Enhanced
  • Resolution

    Article Applies To:

    Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100
    Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200

    Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600

    Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
    Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.

    Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
    Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless

    Firmware/Software Version: All SonicOS Enhanced versions.
    Services: L2TP


    Configuring L2TP Server on SonicOS Enhanced


    This document explains how to configure L2TP Client access to the SonicWALL WAN GroupVPN SA using the built-in L2TP Server and Microsoft's L2TP VPN Client


    This guide is for SonicOS Enhanced firmware on Gen 4,Gen 5 and Gen 6 appliances


    The suggested configuration was confirmed to work with Microsoft Windows XP Service Pack 2 (SP2), Vista Ultimate, and Vista Home 

    1) Go to VPN > Settings and enable the WAN GroupVPN policy. The default policy settings are OK to use, but the Shared Secret will

           be needed for the client policy configuration


    If your SonicWALL appliance is running SonicOS or above, enable the  Accept Multiple Proposals for Clients checkbox which allows multiple VPN or L2TP clients using different security policies to connect.


    2) Go to VPN > L2TP Server

    I. Enable the L2TP Server. Click 'Configure'
    II. L2TP Server Settings
    Keep alive time (secs): 60
    DNS Server 1: (Use internal or your ISP's DNS)
    DNS Server 2: (or use your ISP's DNS)
    DNS Server 3: (or use your ISP's DNS)
    WINS Server 1: (or use your WINS IP)
    WINS Server 2: (or use your WINS IP)
    III. IP Address Settings
    IP address provided by RADIUS/LDAP Server: Disabled
    Use the Local L2TP IP Pool: Enabled
    Start IP: *EXAMPLE*
    End IP: *EXAMPLE* 
    IV. L2TP Users
    User Group for L2TP Users: 'Trusted Users'



    3) Go to Network > NAT Policies
    SonicOS Enhanced will automatically add the following NAT policy.

    You may manually add this NAT policy if not auto-added.

    I. Add a NAT Policy with these settings:
    Original: 'L2TP IP Pool'
    Translated: 'WAN Primary IP'
    Original: 'Any'
    Translated: 'Original'
    Original: 'Any'
    Translated: 'Original'
    Inbound: 'Any'
    Outbound: 'WAN' or 'X1'
    Comment: L2TP Outbound NAT
    Enable NAT Policy: Enabled
    Create a reflexive policy: Disabled 



    4) Go to Firewall > Access Rules and select VPN to WAN and Add the following rule.

    Click Add  to add a new firewall rule with the following settings:
    Action: Allow
    Service: Any
    Source: WAN RemoteAccess Networks
    Destination: Any
    Users Allowed: All
    Schedule: Always on
    Comment: L2TP Internet access



    The SNWL portion of the configuration is complete.


    L2TP setup on the Client computer:

    This next steps are performed on a workstation running Microsoft Windows XP Professional, Service Pack 2:


    1) Go to the Control Panel

    2) Go to Network Connections

    3) Open the New Connection Wizard. Click Next.

    4) Choose "Connect to the network at my workplace." Click Next.

    5) Choose "Virtual Private Network Connection." Click Next.

    6) Enter a name for your VPN connection. Click Next.

    7) Enter the Public (WAN) IP address of the SNWL. Alternatively, you can use a domain name that points to the SNWL. Click Next, then click Finish. The connection window will appear. Click Properties.

    8) Go to the Security tab. Click on "IPSec Settings". Enable "Use pre-shared key for authentication". Enter your pre-shared secret. Click OK.


    9) Go to the Networking tab. Change "Type of VPN" from "Automatic" to "L2TP IPSec VPN". Click OK.


    10) Enter your XAUTH username and password. Click Connect.


    Once the connection has been established, Internet access should be available. Access to the internal network will also be available.

SonicWALL SuperMassive 9000 Series
9600, 9400, 9200
SonicWALL SuperMassive E10000 Series
10800, 10400
SonicWALL NSA Series
6600, 5600, 4600, 4500, 3600, 3500, 2600, 250MW, 250M, 2400MX, 2400, 240, 220W, 220
SonicWALL E-Class NSA Series
E8510, E8500, E7500, E6500, E5500
SonicWALL TZ Series
215W, 215, 210W, 210, 205, 200W, 200, 105, 100W, 100
SonicWALL PRO Series
5060, 4100, 4060, 3060, 2040, 1260
TZ Series
190W, 190, 180W, 180, 170

Technical Solutions

Article History:
Created on: 10/13/2008
Last Update on: 7/31/2014

Feedback submitted.

Did this article help?

[Select Rating]

Thank you for your rating!


Request or Create a KB Article »