Note: Soft Ether can do this, but when the AIS MFW is being used to also terminate other tunnels, it doesn’t work.
- Go to VPN > L2TP
- Click “Enable”
- Choose “Interface” (most of the time this will be WAN)
- Server Address
- Remote Range
- Number of L2TP users
- No Secret
- Authentication: CHAP is in an IPSec Tunnel, so it is secure
- Primary L2TP DNS: 184.108.40.206
- Go to VPN > L2TP > Users
- Add users (must be FIRSTNAME.LASTNAME - there must be a period between)
- Set Password
- Go to VPN > IPSec > Mobile Clients
- Enable IKE Extensions
- Click on “Local Database”
- Leave “Group Auth” at None
- Nothing else should be checked except the DNS servers
Note: The first time you do this, it will ask you to set up a Mobile Phase 1 tunnel. This process is the same if you are setting it up later as well.
- Either click on “Set up Phase 1 Mobile Tunnel” or go to VPN > IPSec > Tunnels
- Once you are here, click on Add P1 (or if you are here from the “wizard” of adding mobile client support).
- Key Exchange: choose V1
- Choose a WAN interface
- Auth Method is Mutual PSK
- Negotiation: Main
- My Identifier: My IP address
- Encryption: 3DES
- Hash: SHA1
- DH Group: 2
- Lifetime: 28800
- The only other checks are: Responder Only and Dead Peer Detection (just clear everything else)
- Go to VPN > IPSec > Pre-Shared Keys
- Click “Add”
- Identifier: allusers (this is a keyword, so it applies to all remote users that will share this pre-share)
- Secret Type: PSK
- Pre-Shared Key (this is essentially a second password)
If there are no other tunnels, there will have been two additions to the Rules page (IPSec and L2TP).
- Go to Firewall > Rules > IPSec
- Add a rule that permits everything, to everything, for all of the IP suite and save it
- Go to Firewall > Rules > L2TP and do the same
- Go to WAN and make sure UDP:500 and UDP:4500 are allowed to access “this firewall”
To Test on a Mac
- Open Network Preferences
- Click on the “+”
- Change Interface to VPN
- Change Type to L2TP
- Rename the Service to whatever is clear for you and/or the user.
- Server address - enter the FQDN or the IP of the Interface of the MFW you set up in the steps above.
- Account name - enter the account you created above.
- Click on “Authentication Settings”
- User Authentication - enter the password you assigned to the user above.
- Machine Authentication - enter the Pre-Shared Key and click “OK”.
- Click on “Advanced” and check “Send all traffic over VPN connection” and click “OK”.