Setup Android L2TP VPN
10/14/2021 39 People found this article helpful 495,701 Views
Description
This article explains how to configure a L2TP VPN in order to connect from Android Devices.
Deployment Steps:
- Configure VPN settings
- Configure L2TP Server
- Configure a Sonicwall User
- Then last configure the device.
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
WanGroupVPN settings
- Go to Manage | VPN | Base Settings page, make sure the “Enable VPN” box in the top left corner of the page is checked.
Under the VPN Polices section, click the edit button on the WAN GroupVPN line as shown below - Select IKE using Preshared Secret and enter the Shared Secret as shown below as an example:
| Authentication Method: "IKE using Preshared Secret" Name: WAN GroupVPN Shared Secret: type a passphrase (you will enter this is into the Droid later) |
NOTE: To successfully establish a VPN tunnel the L2TP (VPN) client and the Remote VPN device must agree upon the same set of Proposals/Transform Payloads (differs from client to client), please refer the following article for complete details: List of IPSec and L2TP client proposals
| IKE (Phase 1) Proposal DH Group = Group 2 Encryption = 3DES Authentication = SHA1 Life Time (seconds) 28800 IPSec (Phase 2) Proposal Protocol = ESP Encryption = 3DES Authentication = SHA1 Enable Perfect Forward Secrecy = not checked Life Time (seconds) 28800 |
- Go to Advanced tab and select Accept Multiple proposals for Clients
| Enable Windows Networking (NetBIOS) Broadcast = checked Enable Multicast = not checked
The new Accept Multiple Proposals for Clients checkbox allows multiple VPN or L2TP clients using different security policies to connect to a NG firewall.
Management via this SA: = nothing checked Default Gateway: 0.0.0.0 Require authentication of VPN clients by XAUTH = Checked User group for XAUTH users: "Trusted Users" |
| Cache XAUTH User Name and Password on Client: Single Session or Always Virtual Adapter settings: = DHCP Lease Allow Connections to: = Split Tunnels Set Default Route as this Gateway = Unchecked Use Default Key for Simple Client Provisioning = Checked |
L2TP Server Settings
- Go to Manage | VPN | L2TP Server page Enable L2TP Server and click on the Button "Configure".
Keep alive time (Sec): 60
DNS Server 1: your DNS Server
DNS Server 2: your secondary DNS Server
WINS Server 1: if you have one
WINS Server 2:
IP Address Settings
Select L2TP Users | "Use the Local L2TP IP pool" and configure your Start IP Lease and End IP Lease range. The Sonicwall will auto-create an address object and rules for this range. It can be a separate IP range. In the shown example is IP Start 192.168.60.67 with an end range of 192.168.60.70. At the bottom of the page, select "Trusted Users" from the Dropdown menu next to “User group for L2TP users”. This is the same group you select on the Advance tab in the WAN GroupVPN settings.
- Go to Manage | Users | Local Users & Groups page and click the Add User button.
Make the user part of the Group "Trusted Users" on the Groups tab.
In the VPN Access list – as a minimum add these networks: LAN Subnets/LAN Primary Subnet and L2TP IP Pool.
Android Settings
Configure the Android: Go the settings | More connection settings
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
- On the VPN | Settings page, make sure the Enable VPN box in the top left corner of the page is checked.
Under the VPN Polices section, click the edit button on the WAN GroupVPN line.
| Authentication Method: "IKE using Preshared Secret" Name: WAN GroupVPN Shared Secret: type a passphrase (you will enter this is into the Droid later) |
Second Tab "Proposals"
NOTE: To successfully establish a VPN tunnel the L2TP (VPN) client and the Remote VPN device must agree upon the same set of Proposals/Transform Payloads (differs from client to client), please refer the following article for complete details: List of IPSec and L2TP client proposals
| IKE (Phase 1) Proposal DH Group = Group 2 Encryption = 3DES Authentication = SHA1 Life Time (seconds) 28800 IPSec (Phase 2) Proposal Protocol = ESP Encryption = 3DES Authentication = SHA1 Enable Perfect Forward Secrecy = not checked Life Time (seconds) 28800 |
"Advanced" tab
| Enable Windows Networking (NetBIOS) Broadcast = checked Enable Multicast = not checked
The new Accept Multiple Proposals for Clients checkbox allows multiple VPN or L2TP clients using different security policies to connect to a NG firewall.
Management via this SA: = nothing checked Default Gateway: 0.0.0.0 Require authentication of VPN clients by XAUTH = Checked User group for XAUTH users: "Trusted Users" |
"Client" tab
| Cache XAUTH User Name and Password on Client: Single Session or Always Virtual Adapter settings: = DHCP Lease Allow Connections to: = Split Tunnels Set Default Route as this Gateway = Unchecked Use Default Key for Simple Client Provisioning = Checked |
L2TP Server Settings
- Go to the VPN | L2TP Server page and click on the button "Configure".
Keep alive time (Sec): 60
DNS Server 1: your DNS Server
DNS Server 2: your secondary DNS Server
WINS Server 1: if you have one
WINS Server 2:
IP Address Settings
Select "Use the Local L2TP IP pool" and configure your Start IP Lease and End IP Lease range. The Sonicwall will auto-create an address object and rules for this range. It can be a separate IP range.
In the shown example is IP Start 192.168.60.67 with an end range of 192.168.60.70. At the bottom of the page, select "Trusted Users" from the Dropdown menu next to “User group for L2TP users”.
NOTE: This is the same group you select on the Advanced tab in the WAN GroupVPN settings.
- Go to the Users | Local Users page and click the Add User button. Make the user part of the Group "Trusted Users".
In the VPN Access list – as a minimum add these networks: LAN Subnets/LAN Primary Subnet and L2TP IP Pool.
Android Settings
Configure the Android. Go the setting APP page and select the Settings icon.
Related Articles
Categories
Was This Article Helpful?
YESNO