It is unlikely that you will set up L2TP as a standalone protocol, as it has no authentication and encryption on its own. The more likely scenario is setting up an L2TP/IPsec tunnel. L2TP configuration is not difficult, as we shall see.
L2TP configuration starts by navigating to VPN | L2TP. On the Configuration tab, there are several options. The Enable checkbox enables the L2TP server, if checked. In the next section (Configuration), the Interface drop-down menu lets you select the interface on which the L2TP server is listening for connections. As with IPsec, this is almost always the WAN interface.
The Server address field is the IP address of the L2TP server. This IP address should be an unused one. It is typically on the same subnet as the client IP address subnet. The next field, the Remote address range edit box, is for entering the starting IP address of the client subnet. The Number of L2TP users drop-down box is where you select the number of clients allowed to connect. To calculate the ending IP address, take the starting IP address plus the number of L2TP users allowed, minus one.
In the Secret edit boxes, enter the shared secret (you must enter it twice). In the Authentication type drop-down box, you can choose the authentication protocol. There are currently three choices:
- Challenge Handshake Authentication Protocol (CHAP): A peer trying to establish a connection to the server is sent a challenge message, which along with the secret, becomes an input into a one-way hash function. The authenticator performs checks based on its calculation of what the hash value should be. If they match the peer's reply, the peer is authenticated. This is the default choice.
- MS-CHAPv2: This is Microsoft's version of CHAP, considered weak because it uses 56-bit DES encryption.
- Password Authentication Protocol (PAP): This involves sending un-encrypted passwords over the network, and is easily the least secure of all available protocols.
The last two options in this section are for the Primary L2TP DNS Server and theĀ Secondary L2TP DNS Server.
The next section is labeled RADIUS. There is a checkbox in this section that allows you to enable RADIUS authentication. If you check this box, you must enter a series of RADIUS options. When you are done making changes on this page, click on the Save button.
There is also a Users tab. From this tab, you can add L2TP clients. To do so, click on the Add button on the page. The configuration page for users is simple: enter an appropriate Username and Password in the corresponding fields. The password must be entered twice. The IP Address field is optional; it allows you to assign the user to a specific IP address. Click on the Save button when you are finished.