If you use preshared keys and aggressive mode negotiation together in your configuration, select obscure passwords that are unlikely to be cracked in attacks that scan the dictionary. It is also recommended you periodically change your passwords.
Click OK to save your configurations.
Configure the data policy
- From the VPN interface, right-click Data policies and select New Data Policy
- On the General page, specify the name of the data policy. For example, l2tpremoteuser
- Go to the Proposals page. A proposal is a collection of protocols that the initiating and responding key servers use to establish a dynamic connection between two endpoints. You can use a single data policy in several connection objects. However, not all remote VPN key servers necessarily have the same data policy properties. Therefore,
you can add several proposals to one data policy. When establishing a VPN connection to a remote key server, there must be at least one matching proposal in the data policy of the initiator and the responder.
- Click Add to add a data policy transform
- Select Transport for the encapsulation mode.
- Click OK to return to the Transforms page.
- Specify a key expiration value.
- Click OK to save your new data policy.
Configure the dynamic-key group
- From the VPN interface, expand Secure Connections.
- Right-click By Group and select New Dynamic-Key Group.
- On the General page, specify a name for the group. For example, l2tptocorp.
- Select Protects a locally initiated L2TP tunnel.
- For system role, select Both systems are hosts.
- Go to the Policy page. Select the data policy you created in the stepConfigure the data policy, l2tpremoteuser,
from the Data policy drop-down list.
- Select Local system initiates connection to indicate that only System-A can initiate connections with System-B.
- Go to the Connections page. Select Generate the following policy filter rule for this group. Click Edit to define the parameters of the policy filter.
- On the Policy Filter- Local Addresses page,
select Key Identifier for the identifier type.
- For the identifier, select the key identifier, thisisthekeyid,
that you defined in the IKE policy.
- Go the Policy Filter - Remote Addresses page.
Select IP version 4 address from the Identifier type drop-down list.
- Enter 205.13.237.6 in the Identifier field.
- Go to the Policy Filter - Services page.
Enter 1701 in the Local Port and Remote Port fields. Port 1701 is the well-known port for L2TP.
- Select UDP from the Protocol drop-down list.
- Click OK to return to the Connections page.
- Go to the Interfaces page. Select any line or PPP profile to which this group will apply. You have not created the PPP profile for this group yet. After you do so, you will need to edit the properties of this group so that the group applies to the PPP profile you create in the next step.
- Click OK to create the dynamic-key group,
l2tptocorp.
Configure the dynamic-key connection
- From the VPN interface, expand By Group.
This displays a list of all dynamic-key groups you have configured on System-A.
- Right-click l2tptocorp and select New Dynamic-Key Connection.
- On the General page, specify an optional description for the connection.
- For the remote key server, select Version 4 IP address for the identifier type.
- Select 205.13.237.6 from the IP address drop-down list.
- Deselect Start on-demand.
- Go to the Local Addresses page. Select Key identifier for the identifier type and then select thisisthekeyid from the Identifier drop-down list.
- Go to the Remote Addresses page. Select IP version 4 address for the identifier type.
- Enter 205.13.237.6 in the Identifier field.
- Go to the Services page. Enter 1701 in the Local Port and Remote Port fields.
Port 1701 is the well-known port for L2TP.
- Select UDP from the Protocol drop-down list
- Click OK to create the dynamic-key connection.
Parent topic:
Scenario: Protecting an L2TP voluntary tunnel with IPSec