Page 1 of 1

Setting up an L2TP Server using Certificates (11.x)

Posted: 13 May 2008, 14:19
by jono
This How-to applies to:
  • cOS Core 11.x
  • Microsoft Windows 10
To configure a Windows 2012 CA Server Follow this link: viewtopic.php?f=8&t=5838

Topics covered in this document
  • Clavister - Preparing objects used by the gateway
  • Clavister - Setting up the IPsec Tunnel
  • Clavister - Setting up the L2TP Tunnel
  • Clavister - Setting up the User Authentication Rule
  • Clavister - Setting up the Policies
  • Windows 10
Clavister - Preparing objects used by the gateway
First of all we need to create all needed objects.

Preparing the Host & Networks
The first thing to do is to add all objects needed by the L2TP tunne. The network, the IP range and an IP of the network that the L2TP clients will use. In this guide we use a range of the internal network (

When this is done, you should have three new object in the Address Book, it should look something like this:
IPsec_Addresses.png (10.01 KiB) Viewed 6513 times

Preparing an IKE and IPsec Proposal List
Create two new Algorithms, one for IKE and one for IPsec, this is done under Object -> VPN Objects -> IKE/IPsec Algorithms. Make sure to use AES and SHA1 to match the sending proposals from windows.
Static Route.png
Static Route.png (10.42 KiB) Viewed 6513 times
Note: The proposals sent to the Clavister varies depending on which operating system that connects. For example, Android and iOS uses more secure algorithms, such as SHA256. We recommend using the more secure algorithms available when connecting to the IPsec-tunnel.

Preparing a new Local User Database
To be able to authenticate the users using the L2TP tunnel a local user database will be used, this can of course also be a RADIUS server. Create a new database under System -> Users -> Local User Databases.
User_Database.png (18.07 KiB) Viewed 6513 times
In this How-to a user database named L2TP will be used.
Add a few users to this database. There is no need to define groups to get L2TP up and running. But groups could later be used in the rules to setup different policies based on group membership.

Clavister - Setting up the IPsec Tunnel
Now it's time to setup the IPsec tunnel, this is done under Network -> VPN and Tunnels -> IPsec of the Security Gateway.
IPsec_L2TP_Settings.png (44.97 KiB) Viewed 6513 times
First of all, a name is needed for the VPN connection. This virtual interface will later be used in the L2TP section.
In this example, the name IPsec_L2TP is being used.

Encapsulation Mode
Here we use Transport since this is an L2TP-Tunnel.

Local Endpoint
This is the local address which the tunnel should accept incoming IKE/IPsec packets on. In this scenario we will use our Lan_ip.

Note: When the SGW is behind a NAT:ing device, Local endpoint should be all-nets because of the incorrect local ID that will be sent due to the SGW being behind NAT.

Source Interface
This specifies the interface which connections are allowed on. In this scenario we only want to be able to connect from our Lan interface, so we select Lan.

Remote Endpoint
The remote endpoint none is used in roaming client scenarios. The Security Gateway will send its reply to the IP address that initiated the IKE/IPsec connection instead of a certain gateway. That makes it the obvious choice for roaming clients.

Here we choose our earlier created algorithms for both IKE and IPsec.

IKE Settings
Under IKE DH Group we make sure Diffie-Hellman group 14 is selected to match the proposals from Windows.
Note: Other Operating Systems requires different DH groups.

Cert.png (33.58 KiB) Viewed 6513 times
As authentication method, choose X.509 Certificate. Then, in the Gateway Certificate drop-down list, select the gateway certificate you got from the CA and select the correct the Root certificate from the CA server.
Note:If you don't have a CA, you can create one using the guide we linked earlier in this How-To.

Automatic Route Creation
Algorithms.png (32.38 KiB) Viewed 6513 times
The Add route statically is enabled by default. This should be disabled.
This is done under the Advanced tab of the IPsec tunnel dialog.

Clavister - Setting up the L2TP Tunnel
Now it's time to setup the L2TP Server, this is done in under Network ->VPN and Tunnels -> PPTP/L2TP Servers of the Security Gateway.
L2TP.png (23.51 KiB) Viewed 6513 times
First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the rules and user authentication rules sections.
In this example, the name L2TP is being used.

Inner IP Address
This IP shoud be a part of the network which the clients are assigned IP addresses from, in this case it should be IPsec_ip (

Tunnel Protocol
As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.

Outer Interface Filter
This is the interface that the L2TP server will accept connections on. As IPsec is used when running L2TP from Windows 10, this is the IPsec tunnel created earlier IPsec_L2TP.

Outer Server IP
This is the IP that the L2TP server is accepting connections on. It should be the same as the IPsec tunnel endpoint, i.e. Lan_ip.
L2TP_Parameters.png (44.35 KiB) Viewed 6513 times
PPP Parameters
Note! We strongly recommend that you disable all MPPE encryption when you already are using IPsec, for performance reasons.

IP Pool
Specify the addresses that are to be assigned to the clients. In this case use the pool created earlier, IPsec_range. You also have the option to specify up to two DNS and Wins Servers.

Add Route
Add_route.png (30.45 KiB) Viewed 6513 times
Proxy ARP
A ProxyARP needs to be configured for the IP's used by the L2TP Clients. What we do is publish the IP's from the IPsec_range on lan and the L2TP server will automatically route them over the L2TP interface.

Clavister - Setting up the User Authentication Rules
Auth_rule.png (26.04 KiB) Viewed 6513 times
A user authentication rule needs to be configured as below:

Here we set the name of the rule, in this scenario we use L2TP_Auth.

Authentication Agent
We should set this to L2TP/PPTP/SSL VPN since we are using L2TP.

This needs to be the interface we want this Authentication rule to trigger on, in this case L2TP.

Originator IP
Here all-nets needs to be selected as the clients are roaming.

Terminator IP
This Should be the same as the Local Endpoint, in this case Lan_ip.

Since we are using a local user database, so the Authentication Source should be Local and then select L2TP under the Authentication Options tab.

Clavister - Setting up the Policy
IP_Policy.png (47.92 KiB) Viewed 6513 times
When the other parts are done, all that is left is the Policy. To let traffic trough from the tunnel a rule should be added with the following characteristics: Action is Allow, Source Interface is L2TP, Source Network is IPsec_range, the Destination Interface is any, the Destination Network is all-nets, the Service is all_services and finally the Source Translation is set to NAT.
The reason for using any as destination interface is to be able to both access the internal network and the internal IP on <core>.

Windows 10 - Setting up the new network connection

First of all, the certificates (user, private key and CA root certificates) need to be imported into windows.
Following the earlier mentioned How-To explains how this is done.

To setup the new L2TP network connection in Windows 10, press the Windows home button and i, or manually go to Windows settings, then we go to Network & Internet -> VPN -> Add a VPN connection.

Add a VPN connection

VPN provider
Choose the pre-defied Windows (Build-in).

Connection name
Give your connection a name.

Server Name or address
Type in the hostname or the IP of the Clavister Security Gateway you're connected to.

VPN Type
Since we want to set up an L2TP/IPsec connection with Certificate choose L2TP/IPsec with Certificates.

Username (optional)
Here we enter in one of the users we created in our Local User Database. In this case we created a user named testuser which we will use.

Password (optional) this password will have to match the user you want to connect as.

Note: If you don't enter the username or password, you will get a pop-up asking for your username and password.
Win10_VPN_Settings.png (25.52 KiB) Viewed 6513 times
You should now be able to connect to your Clavister Security Gateway using L2TP with Certificates.

Re: Setting up an L2TP Server using Certificates (11.x)

Posted: 15 Nov 2016, 11:13
by mape
Updated 2016-11-15