Setup Android L2TP VPN

03/26/2020 25 20822

DESCRIPTION:

This article explains how to configure a L2TP VPN in order to connect from Android Devices.

Deployment Steps:

1. Configure VPN settings
2. Configure L2TP Server
3. Configure a Sonicwall User
4. Then last configure the device.

RESOLUTION:

1. On the VPN | Settings page, make sure the Enable VPN box in the top left corner of the page is checked.
   Under the VPN Polices section, click the edit button on the WAN GroupVPN line.
   

Second Tab "Proposals"

NOTE: To successfully establish a VPN tunnel the L2TP (VPN) client and the Remote VPN device must agree upon the same set of Proposals/Transform Payloads (differs from client to client), please refer the following article for complete details: List of IPSec and L2TP client proposals

IKE (Phase 1) Proposal DH Group = Group 2 Encryption = 3DES Authentication = SHA1 Life Time (seconds) 28800 IPSec (Phase 2) Proposal Protocol = ESP Encryption = 3DES Authentication = SHA1 Enable Perfect Forward Secrecy = not checked Life Time (seconds) 28800

"Advanced" tab

Enable Windows Networking (NetBIOS) Broadcast = checked Enable Multicast = not checked The new Accept Multiple Proposals for Clients checkbox allows multiple VPN or L2TP clients using different security policies to connect to a NG firewall. Management via this SA: = nothing checked Default Gateway: 0.0.0.0 Require authentication of VPN clients by XAUTH = Checked User group for XAUTH users: "Trusted Users"

"Client" tab

Cache XAUTH User Name and Password on Client: Single Session or Always Virtual Adapter settings: = DHCP Lease Allow Connections to: = Split Tunnels Set Default Route as this Gateway = Unchecked Use Default Key for Simple Client Provisioning = Checked

L2TP Server Settings

1. Go to the VPN | L2TP Server page and click on the button "Configure".
   Keep alive time (Sec): 60
   DNS Server 1: your DNS Server
   DNS Server 2: your secondary DNS Server
   WINS Server 1: if you have one
   WINS Server 2:
   
   IP Address Settings
   Select "Use the Local L2TP IP pool" and configure your Start IP Lease and End IP Lease range. The Sonicwall will auto-create an address object and rules for this range. It can be a separate IP range.
   In the shown example is IP Start 192.168.60.67 with an end range of 192.168.60.70. At the bottom of the page, select "Trusted Users" from the Dropdown menu next to “User group for L2TP users”.
   

   NOTE: This is the same group you select on the Advanced tab in the WAN GroupVPN settings. 
   

   
2. Go to the Users | Local Users page and click the Add User button. Make the user part of the Group "Trusted Users".
   In the VPN Access list – as a minimum add these networks: LAN Subnets/LAN Primary Subnet and L2TP IP Pool.

Android Settings

Configure the Android. Go the setting APP page and select the Settings icon.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

WanGroupVPN settings

1. Go to Manage | VPN | Base Settings page, make sure the “Enable VPN” box in the top left corner of the page is checked.
   Under the VPN Polices section, click the edit button on the WAN GroupVPN line as shown below
2. Select IKE using Preshared Secret and enter the Shared Secret as shown below as an example:

• Go to the Proposals Tab

NOTE: To successfully establish a VPN tunnel the L2TP (VPN) client and the Remote VPN device must agree upon the same set of Proposals/Transform Payloads (differs from client to client), please refer the following article for complete details: List of IPSec and L2TP client proposals

IKE (Phase 1) Proposal DH Group = Group 2 Encryption = 3DES Authentication = SHA1 Life Time (seconds) 28800 IPSec (Phase 2) Proposal Protocol = ESP Encryption = 3DES Authentication = SHA1 Enable Perfect Forward Secrecy = not checked Life Time (seconds) 28800

• Go to Advanced tab and select Accept Multiple proposals for Clients

Enable Windows Networking (NetBIOS) Broadcast = checked Enable Multicast = not checked The new Accept Multiple Proposals for Clients checkbox allows multiple VPN or L2TP clients using different security policies to connect to a NG firewall. Management via this SA: = nothing checked Default Gateway: 0.0.0.0 Require authentication of VPN clients by XAUTH = Checked User group for XAUTH users: "Trusted Users"

• Go to the Client tab

Cache XAUTH User Name and Password on Client: Single Session or Always Virtual Adapter settings: = DHCP Lease Allow Connections to: = Split Tunnels Set Default Route as this Gateway = Unchecked Use Default Key for Simple Client Provisioning = Checked

L2TP Server Settings

1. Go to Manage | VPN | L2TP Server page Enable L2TP Server and click on the Button "Configure".
   
   Keep alive time (Sec): 60
   DNS Server 1: your DNS Server
   DNS Server 2: your secondary DNS Server
   WINS Server 1: if you have one
   WINS Server 2:
   
   IP Address Settings
   Select L2TP Users | "Use the Local L2TP IP pool" and configure your Start IP Lease and End IP Lease range. The Sonicwall will auto-create an address object and rules for this range. It can be a separate IP range. In the shown example is IP Start 192.168.60.67 with an end range of 192.168.60.70. At the bottom of the page, select "Trusted Users" from the Dropdown menu next to “User group for L2TP users”. This is the same group you select on the Advance tab in the WAN GroupVPN settings.
   
2. Go to Manage | Users | Local Users & Groups page and click the Add User button.

Make the user part of the Group "Trusted Users" on the Groups tab.

In the VPN Access list – as a minimum add these networks: LAN Subnets/LAN Primary Subnet and L2TP IP Pool.

Android Settings

Configure the Android: Go the settings | More connection settings