L2TP Server using PSK

How to's for older versions of CorePlus
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

L2TP Server using PSK

Post by jono » 12 May 2008, 14:05

This How-to applies to:
  • Clavister Security Gateway 8.50 or later
    Microsoft Windows XP
This document assumes that you already got the Security Gateway up and running. If not, please consult the proper documentation for this.

Topics covered in this document
  • Clavister - Preparing objects used by the gateway
    Clavister - Setting up the IPSec Tunnel
    Clavister - Setting up the L2TP Tunnel
    Clavister - Setting up the User Authentication Rule
    Clavister - Setting up the Rules
    Windows XP VPN Client - Setting up the new network connection
Clavister - Preparing objects used by the gateway
First of all we need to create all needed objects.

Preparing the Host & Networks
The first thing to do is to add all objects needed by the L2TP tunnel, that is the network that is going to be assigned to the L2TP clients. In this guide we use a range of the internal network (

When this is done, you should have one new object in the Host & Networks, it should look something like this:
Setting-up-a-L2TP-Server-using-Clavister-Security-Gateway.jpg (10.56 KiB) Viewed 8151 times
Preparing a IPSec Proposal List
The IPsec proposal list is, very simplified, a list of proposals defining how to encrypt the data that is sent through the IPsec tunnel. In this howto the proposal list esp-l2tptunnel need to be created with these values:

Note: On Windows7 the IPsec lifetime need to be to 250000kB. Windows 7 has a different default lifetime setting than Windows XP
Setting-up-a-L2TP-Server-using-Clavister-Security-Gateway2.jpg (21.55 KiB) Viewed 8151 times
Preparing the Pre-Shared Key
To be able to authenticate the IPSec tunnel that will be used for the L2TP tunnel, a pre-shared key needs to be defined. This is done under Local Objects -> VPN Settings -> Pre-Shared Keys.
psk.gif (10.88 KiB) Viewed 8149 times
In this How-to a pre-shared key named l2tp-psk will be used.

Preparing a new Local User Database
To be able to authenticate the users using the L2TP tunnel a local user database will be used, this can of course also be a RADIUS server. Create a new database under Local Objects -> User Databases.
new_user.gif (10.33 KiB) Viewed 8147 times
In this How-to a user database named UserDB will be used.

Add a few users to this database. There is no need to define groups to get L2TP up and running. But groups could later be used in the rules to setup different policies based on group membership.

Clavister - Setting up the IPSec Tunnel
ipsec_tunnel.gif (13.08 KiB) Viewed 8144 times
Now it's time to setup the IPSec tunnel, this is done in the IPSec Tunnels section located in the Interface folder of the Security Gateway. The example screenshot above shows the Clavister Security Gateway.

First of all, a name is needed for the VPN connection. This virtual interface will later be used in the L2TP section.

In this example, the name l2tp_ipsec is being used.

Local Network
This is the local network that the remote users will connect to. As we are going to use L2TP this is the same IP the L2TP tunnel will connect to, i.e. ip_ext.

Note: When the SGW is behind a NAT:ing device, Local Network should be all-nets because of the incorrect local ID that will be sent due to the SGW being behind NAT

Remote Network
The Security Gateway looks at this field and compares it to the roaming user's source IP address in order to allow connections only from the configured local net to remote net. However, in this scenario, clients should be allowed to roam in from everywhere. Thus, this field is set to all-nets ( That means that virtually all existing IPv4-addresses are allowed to connect.

Remote Gateway
Basically, this field is only used when setting up a Lan-to-Lan VPN. Remote gateway is the machine where all the packets originating from Local net travelling to Remote net will be sent, in order to be processed by the IPsec engine.

The remote gateway none is used in roaming client scenarios. The Security Gateway will send its reply to the IP address that initiated the IKE/IPsec connection instead of a certain gateway. That makes it the obvious choice for roaming clients.

Proposal Lists
Select the pre-defined ike-roamingclients as IKE Proposal List, as it's very close to what Windows is using, and then select the esp-l2tptunnel IPSec proposal list created earlier.

ipsec_auth.gif (11.03 KiB) Viewed 8144 times
As authentication method, choose Pre-Shared Key. Then, in the Pre-Shared Key drop-down list, select the Pre-Shared Key you created previously in the Pre-Shared Key section.

Automatic routing
ipsec_routing.gif (11.01 KiB) Viewed 8145 times
The IPSec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established.

This is done under the Routing tab of the IPSec tunnel dialog.

Clavister - Setting up the L2TP Tunnel
Now it's time to setup the L2TP Server, this is done in the PPTP/L2TP Servers section located in the Interface folder of the Security Gateway.
l2tp_tunnel.gif (10.74 KiB) Viewed 8144 times
First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the rules and user authentication rules sections.

In this example, the name l2tp_tunnel is being used.

Inner IP Address
This IP should be a part of the network which the clients are assigned IP addresses from, in this case it should be ip_int (

Tunnel Protocol
As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.

Outer Interface Filter
This is the interface that the L2TP server will accept connections on. As IPSec is used when running L2TP from Windows XP, this is the IPSec tunnel created earlier l2tp_ipsec.

Outer Server IP
This is the IP that the L2TP server is accepting connections on. It should be the same as the IPSec tunnel endpoint, i.e. ip_ext.

Should be enabled, and a rule needs to be configured, (as described earlier "Clavister - Setting up the User Authentication Rules").
PPP Parameters on the L2TP Server
PPP Parameters on the L2TP Server
ppp_params.png (12.05 KiB) Viewed 5276 times
Microsoft Point-to-Point Encryption
Select the encryption strength the server should allow.
NOTE! The recommendation is to ONLY have None checked. Disable the 40/56/128 bit encryption.
We already have IPsec encryption, there is no need to encrypt once more, and MPPE is not hardware accelerated, meaning that throughput and CPU usage will suffer. IPsec is hardware accelerated on certain models which gives vastly improved performance.

IP Pool
Specify the addresses that are to be assigned to the clients. In this case use the pool created earlier, l2tp_pool. Also specify up to two DNS and WINS servers. '

l2tp_addroute.gif (11.17 KiB) Viewed 8143 times
A ProxyARP needs to be configured for the IP's used by the L2TP Clients. What we do is publish the IP's from the l2tp_pool on int and the L2TP server will automatically route them over the l2tp_tunnel interface.

l2tp_pbr.gif (12.54 KiB) Viewed 8145 times
The L2TP Server will automatically add routes to the L2TP Clients and route them over the l2tp_tunnel interface. Select which routing table those routes should be added to. In this guide we will use <main> which is the ordinary routing table.

Clavister - Setting up the User Authentication Rules
A user authentication rule needs to be configured as below, the Interface should be the L2TP server, in this case l2tp_tunnel, the Source IP should be all-nets as the clients are roaming. The Destination IP should be the same as the Outer IP, in this case ip_ext. When using L2TP or PPTP the Agent should be PPP. We are using a local user database, so the Authentication Source should be Local and then select UserDB under the Auth Options tab.

The rule should look like this:
Setting-up-a-L2TP-Server-using-Clavister-Security-Gateway3.jpg (14.91 KiB) Viewed 8144 times
Clavister - Setting up the Rule
When the other parts are done, all that is left is the rules. To let traffic trough from the tunnel a rule should be added with the following characteristics: Action is Allow, Source Interface is l2tp_tunnel, Source Network is l2tp_pool, the Destination Interface is Any, the Destination Network is int-net and finaly the Service is All. The reason for using Any as destination interface is to be able to both access the internal network and the internal IP on <core>.
Setting-up-a-L2TP-Server-using-Clavister-Security-Gateway4.jpg (18.42 KiB) Viewed 8149 times
Windows XP VPN Client - Setting up the new network connection
To setup the new L2TP network connection in Windows XP, in Network Connections take Create new connection, this will bring up the New Connection Wizard. Follow the steps below to setup the L2TP Client.
wizard1.gif (11.53 KiB) Viewed 8150 times
Step 1. Choose Next to start the wizard.
wizard2.gif (10.75 KiB) Viewed 8148 times
Step 2. Choose Connect to the network at my workplace.
wizard3.gif (9.61 KiB) Viewed 8145 times
Step 3. Choose Virtual Private Network connection as this will create a new VPN tunnel.
wizard4.gif (8.93 KiB) Viewed 8149 times
Step 4. Give the new network connection a name.
wizard5.gif (9.06 KiB) Viewed 8146 times
Step 5. Choose Do not dial the initial connection if you are connecting using the LAN. If you are using a modem to dial to the Internet specify that dial up connection under Automatically dial this initial connection.
wizard6.gif (9.02 KiB) Viewed 8141 times
Step 6. Type in the hostname or IP of the Clavister Security Gateway you are connecting to.
wizard7.gif (12.54 KiB) Viewed 8142 times
Step 7. Click Finish to save the configuration.
ipsec_settings.gif (11.14 KiB) Viewed 8149 times
Step 8. On the dialog that is shown, take Properties and click on the Security tab, on this page click on IPSec Settings and enable Use pre-shared key for authentication and write the key specified earlier as l2tp-psk in the Clavister Security Gateway.

You should now be able to connect to your Clavister Security Gateway with L2TP.

Note: When the Security Gateway is behind a NAT:ing device, you must modify the registry with this setting:

Note: If you encounter problems to access publicly published resources when another user located behind the same NATing device is connected with L2TP/IPsec to the Clavister device, there is a "trick" you can use:
1. Create a new Routing Table, ordering First. It should be empty. You can name it "L2TP-trick".
2. Make the IPsec tunnel for L2TP a member of the "L2TP-trick" routing table (PBR Membership).

Now it will work properly again.