Setup Android L2TP VPN

10/14/2021 33 People found this article helpful 55,279 Views

Description

This article explains how to configure a L2TP VPN in order to connect from Android Devices.

Deployment Steps:

Configure VPN settings
Configure L2TP Server
Configure a Sonicwall User
Then last configure the device.

Resolution

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

WanGroupVPN settings

Go to Manage | VPN | Base Settings page, make sure the “Enable VPN” box in the top left corner of the page is checked.
Under the VPN Polices section, click the edit button on the WAN GroupVPN line as shown below
Select IKE using Preshared Secret and enter the Shared Secret as shown below as an example:

Authentication Method: "IKE using Preshared Secret"
Name: WAN GroupVPN
Shared Secret: type a passphrase (you will enter this is into the Droid later)

Go to the Proposals Tab

NOTE: To successfully establish a VPN tunnel the L2TP (VPN) client and the Remote VPN device must agree upon the same set of Proposals/Transform Payloads (differs from client to client), please refer the following article for complete details: List of IPSec and L2TP client proposals

IKE (Phase 1) Proposal

DH Group = Group 2
Encryption = 3DES
Authentication = SHA1
Life Time (seconds) 28800

IPSec (Phase 2) Proposal

Protocol = ESP
Encryption = 3DES

Authentication = SHA1
Enable Perfect Forward Secrecy = not checked
Life Time (seconds) 28800

Go to Advanced tab and select Accept Multiple proposals for Clients

Enable Windows Networking (NetBIOS) Broadcast = checked
Enable Multicast = not checked

The new Accept Multiple Proposals for Clients checkbox allows multiple VPN or L2TP clients using different security policies to connect to a NG firewall.

Management via this SA: = nothing checked
Default Gateway: 0.0.0.0

Require authentication of VPN clients by XAUTH = Checked
User group for XAUTH users: "Trusted Users"

Go to the Client tab

Cache XAUTH User Name and Password on Client: Single Session or Always
Virtual Adapter settings: = DHCP Lease
Allow Connections to: = Split Tunnels
Set Default Route as this Gateway = Unchecked
Use Default Key for Simple Client Provisioning = Checked

L2TP Server Settings

Go to Manage | VPN | L2TP Server page Enable L2TP Server and click on the Button "Configure".

Keep alive time (Sec): 60
DNS Server 1: your DNS Server
DNS Server 2: your secondary DNS Server
WINS Server 1: if you have one
WINS Server 2:

IP Address Settings
Select L2TP Users | "Use the Local L2TP IP pool" and configure your Start IP Lease and End IP Lease range. The Sonicwall will auto-create an address object and rules for this range. It can be a separate IP range. In the shown example is IP Start 192.168.60.67 with an end range of 192.168.60.70. At the bottom of the page, select "Trusted Users" from the Dropdown menu next to “User group for L2TP users”. This is the same group you select on the Advance tab in the WAN GroupVPN settings.
Go to Manage | Users | Local Users & Groups page and click the Add User button.

Make the user part of the Group "Trusted Users" on the Groups tab.

In the VPN Access list – as a minimum add these networks: LAN Subnets/LAN Primary Subnet and L2TP IP Pool.

Android Settings

Configure the Android: Go the settings | More connection settings

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

On the VPN | Settings page, make sure the Enable VPN box in the top left corner of the page is checked.
Under the VPN Polices section, click the edit button on the WAN GroupVPN line.

Authentication Method: "IKE using Preshared Secret"
Name: WAN GroupVPN
Shared Secret: type a passphrase (you will enter this is into the Droid later)

Second Tab "Proposals"