Apple client L2TP on AIS Managed Firewall

Note: Soft Ether can do this, but when the AIS MFW is being used to also terminate other tunnels, it doesn’t work.

  1. Go to VPN > L2TP
  2. Click “Enable”
  3. Choose “Interface” (most of the time this will be WAN)
  4. Server Address
  5. Remote Range
  6. Number of L2TP users
  7. No Secret
  8. Authentication: CHAP is in an IPSec Tunnel, so it is secure
  9. Primary L2TP DNS:
  10. Save


  1. Go to VPN > L2TP > Users
  2. Add users (must be FIRSTNAME.LASTNAME - there must be a period between)
  3. Set Password
  4. Save


  1. Go to VPN > IPSec > Mobile Clients
  2. Enable IKE Extensions
  3. Click on “Local Database”
  4. Leave “Group Auth” at None
  5. Nothing else should be checked except the DNS servers
  6. Save

Note: The first time you do this, it will ask you to set up a Mobile Phase 1 tunnel. This process is the same if you are setting it up later as well.

  1. Either click on “Set up Phase 1 Mobile Tunnel” or go to VPN > IPSec > Tunnels
  2. Once you are here, click on Add P1 (or if you are here from the “wizard” of adding mobile client support).
  3. Key Exchange: choose V1
  4. Choose a WAN interface
  5. Auth Method is Mutual PSK
  6. Negotiation: Main
  7. My Identifier: My IP address
  8. Encryption: 3DES
  9. Hash: SHA1
  10. DH Group: 2
  11. Lifetime: 28800
  12. The only other checks are: Responder Only and Dead Peer Detection (just clear everything else)
  13. Save

Pre-Shared Keys

  1. Go to VPN > IPSec > Pre-Shared Keys
  2. Click “Add”
  3. Identifier: allusers (this is a keyword, so it applies to all remote users that will share this pre-share)
  4. Secret Type: PSK
  5. Pre-Shared Key (this is essentially a second password)
  6. Save


If there are no other tunnels, there will have been two additions to the Rules page (IPSec and L2TP).

  1. Go to Firewall > Rules > IPSec
  2. Add a rule that permits everything, to everything, for all of the IP suite and save it
  3. Go to Firewall > Rules > L2TP and do the same
  4. Go to WAN and make sure UDP:500 and UDP:4500 are allowed to access “this firewall”
  5. Save

To Test on a Mac

  1. Open Network Preferences
  2. Click on the “+”
  3. Change Interface to VPN
  4. Change Type to L2TP
  5. Rename the Service to whatever is clear for you and/or the user.
  6. Server address - enter the FQDN or the IP of the Interface of the MFW you set up in the steps above.
  7. Account name - enter the account you created above.
  8. Click on “Authentication Settings”
  9. User Authentication - enter the password you assigned to the user above.
  10. Machine Authentication - enter the Pre-Shared Key and click “OK”.
  11. Click on “Advanced” and check “Send all traffic over VPN connection” and click “OK”.
  12. Test