Method used to configure the L2TP over IPSec dial-up access for iPhone and Mac users on the USG2000 and USG5000

2

The method used to configure the L2TP over IPSec dial-up access for iPhone and Mac users on the USG2000 and USG5000 is as follows:

1. The configuration on the iPhone is as follows:
Choose Settings > General > Network > VPN. Select Add VPN Configuration. On the Add Configuration screen, select L2TP from Type.
Set the L2TP options as follows:
Description: L2TP VPN description. In this example, it can be set to any value.
Server: L2TP VPN server address. In this example, it is set to 188.135.3.146, that is, the IP address of the firewall.
Account: L2TP user name. It is set to the user name configured for the AAA on the firewall.
RSA SecurID: It determines whether to perform verification using the RSA ID. In this example, it is disabled.
Password: Password of the L2TP user. It is consistent with the user name.
Secret: Exchange key of the L2TP VPN, that is, the pre-shared key in the IKE. In this example, it is set to nawras.
Send All Traffic: It is enabled, so that all traffic is transmitted over the VPN.
IPSec configuration:
Generally, after you configure the L2TP options, the IPSec options are automatically filled in by the system. If not, fill in the options as follows:
Description: VPN description. In this example, it can be set to any value.
Server: IP address of the firewall interface. In this example, it is set to 188.135.3.146.
Account: L2TP user name. It is set to the user name configured for the AAA on the firewall.
Password: Password of the L2TP user. It is consistent with the user name.
User Certificate: The certificate is not required. This option is unavailable.
Group Name: The group name is not required. It can be left blank.
Secret: Pre-shared key in the IKE. In this example, it is set to nawras.

2. Configuration on the Mac OS:
a. VPN configuration on the Mac PC:
The IKE negotiation is set to the main mode.
The encryption algorithm for the IKE negotiation is set to 3DES.
The authentication algorithm is set to SHA-1.
The authentication method is set to PRE-SHARED-KEY (PSK).

The IPSec negotiation is set to transport mode.
The IPSec encryption algorithm is set to 3DES.
The IPSec authentication algorithm is set to MD5.
b. Configuration procedure:
Click Network. Click "+" in the lower left corner, and create a new service. Set VPN Type to L2TP over IPSec and Service Name to any value, for example, VPN (L2TP).
Set Service Address to the interface IP address of the firewall, and Account Name to the L2TP user name that must have been configured for the AAA. Then, click Authentication Setting.
Set password to the password of the L2TP user, and Shared Secret to the pre-shared key in the IKE peer, for example, nawras.
After the parameters are set, click OK. Then, click Apply in the lower right corner to validate the settings.
If the VPN connection is required, click Connect. The system automatically initiates the L2TP over IPSec negotiation. After the connection is established, the current state is displayed as Connected. A new IP address is allocated, that is, allocated by the L2TP.

Other related questions:
Method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000
The method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000 is as follows: Configure the L2TP over IPSec user address segment using the CLI: # Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 10.1.1.1 10.1.1.100 # Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit # Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit Configure the L2TP over IPSec user address segment using the web UI: Configure the L2TP parameters. 1. Choose Network > L2TP > L2TP. 2. In Configure L2TP, select Enable and click Apply. 3. In L2TP Group List, click New. 4. Set Group Type to LNS. 5. Configure the L2TP parameters. The server address shall be in the same network segment as the address in the address pool. In this way, you do not need to configure a route. Peer Tunnel Name must be consistent with Local Tunnel Name configured on the LAC. Group Type: LNS Peer Tunnel Name: LAC Tunnel Password Authentication: Enable Password Type: Ciphertext Tunnel password: Hello123 Confirm Tunnel password: Hello123 User Group: default Set the user address allocation parameters as follows: Server Address/Subnet Mask: 10.2.1.1/255.255.255.0 User Address Pool: 10.2.1.2-10.2.1.100 6. Click OK.

Pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000
The pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000 are as follows: 1. Port 500 is initially used for IKE negotiation. After the NAT-T capability detection and NAT gateway detection are complete, the number of the UDP port that encapsulate ISAKMP messages is changed to 4500. This port is used for subsequent negotiations and data transmission. 2. L2TP is registered with UDP port 1701. However, this port is only used for initial tunnel establishment. The L2TP tunnel initiator (LAC) selects any idle port (may not necessarily be port 1701) to send packets to port 1701 on the receiver end; upon receiving the packets, the LNS also selects any idle port (may not necessarily be port 1701) to send packets to the specified port of the LAC. Therefore, ports of both ends are specified and remain unchanged within the tunnel connection period. 3. According to the L2TP over IPSec mechanism, packets are encapsulated based on L2TP and then IPSec. Therefore, port 1701 that transmits L2TP packets is used as a matching condition. All encapsulated L2TP packets are transmitted over the IPSec tunnel. Therefore, if the L2TP over IPSec is configured but no NAT traversal is available, port 500 and port 1701 are configured as pass-through ports. If the NAT traversal is available, port 500, port 4500, and port 1701 are configured as pass-through ports.

Method used to configure L2TP over IPSec on the AR
L2TP over IPSec can be used to ensure secure communication between the branch and headquarters. This function is applicable to all versions and models of AR series routers. L2TP over IPSec can be used to ensure secure communication between the LAC and LNS. For details, see Configuration Guide-VPN.

Method used to configure L2TP parameters on the USG2000 and USG5000
The method used to configure L2TP parameters on the USG2000 and USG5000 is as follows: 1. allow l2tp The allow l2tp command is used to specify the name of the peer tunnel that accepts the call and the used Virtual-Template. allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] [ vpn-instance vpn-instance-name ] 2. call-lns local-user The call-lns local-user command is used to perform L2TP dialup on the LAC to access the LNS, so as to establish an L2TP tunnel. call-lns local-user username 3. l2tp domain suffix-separator The l2tp domain suffix-separator command is used to set the suffix separator. l2tp domain suffix-separator separator 4. l2tp match-order The l2tp match-order name is used to set the sequence of the called number and domain name used to search for the L2TP group. l2tp match-order { dnis | dnis-domain | domain | domain-dnis} 5. l2tp sendaccm enable The l2tp sendaccm enable command is used to enable the function of sending ACCM messages by the L2TP. By default, the function of sending ACCM messages by the L2TP is enabled. l2tp sendaccm enable 6. l2tp-group The l2tp-group command is used to create an L2TP group. l2tp-group group-number 7. l2tpmoreexam enable The l2tpmoreexam enable command is used to enable the LNS to accept L2TP connection requests initiated by different L2TP instances using the same tunnel name. l2tpmoreexam enable 8. l2tp up-down log enable The l2tp up-down log enable command is used to enable the function of sending logs upon L2TP user getting online or offline. l2tp up-down log enable 9. mandatory-chap The mandatory-chap command is used to forcibly perform the CHAP verification again between the LNS and the client. By default, the system does not re-verify the CHAP. mandatory-chap 10. mandatory-lcp The mandatory-lcp command is used to re-negotiate the Link Control Protocol (LCP) between the LNS and the client. By default, the system does not re-negotiate the LCP. mandatory-lcp 11. start l2tp The start l2tp command is used to specify the trigger conditions for originating calls when the local end serves as the L2TP LAC. start l2tp { lns-domain domain-name | ip ip-address &<1-5> } { domain domain-name |fullusername user-name } [ vpn-instance vpn-instance-name ] 12. tunnel authentication The tunnel authentication command is used to enable the L2TP tunnel verification. tunnel authentication 13. tunnel avp-hidden The tunnel avp-hidden command is used to configure the transmission mode in which the Attribute Value Pair (AVP) data is hidden. tunnel avp-hidden 14. tunnel name The tunnel name command is used to specify the local tunnel name. tunnel name tunnel-name 15. tunnel password The tunnel password command is used to specify the password used for tunnel verification. tunnel password cipher password 16. tunnel source The tunnel source command is used to configure the source tunnel interface used by the LAC to initiate a tunnel establishment request to the LNS. tunnel source loopback interface-number 17. tunnel timer hello The tunnel timer hello command is used to set the interval for sending Hello packets over the tunnel. tunnel timer hello interval 18. virtual-l2tpforward enable When the IP address used by the LNS to access the intranet and the IP address allocated by the LNS to the client are in the same network segment, you can use the virtual-l2tpforward enable and arp-proxy enable command together to enable the L2TP virtual forwarding function. virtual-l2tpforward enable

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top