Owing to the fact that L2TP lacks both authentication and encryption, it is unlikely that you will ever set up L2TP as a standalone VPN protocol. A more likely scenario is that you set an L2TP/IPsec tunnel in which users can connect to the IPsec tunnel directly, or connect via L2TP, with IPsec traffic taking place within the L2TP tunnel. Fortunately, L2TP configuration is much easier than IPsec configuration, and implementing in should ensure that our VPN will be accessible to a greater number of users.
To begin L2TP configuration, navigate to VPN | L2TP. This should take you to the Configuration tab. The Enable checkbox, when checked, enables the L2TP server. In the Configuration section, the Interface drop-down allows you to select the interface on which the L2TP server is listening for connections (almost always WAN).
In the Server address field, you must enter the gateway IP address of the L2TP server. It should be an unused IP address, usually on the same subnet as the client IP address subnet. The Remote address range field is where you enter the starting IP address of the client subnet. There is a drop-down box labeled Number of L2TP users where you select the number of clients allowed. The starting IP address plus the number of L2TP users minus one will be the ending IP address.
The Secret field is where you can enter a shared secret (there are two edit boxes, as the secret must be entered twice). Next is the Authentication type drop-down box; there are currently three different options for the protocol to use for authentication:
- Challenge Handshake Authentication Protocol (CHAP): When a peer tries to establish a connection, the authenticator sends a challenge message to the peer. The peer replies with a value calculated using a one-way hash function in which the challenge and the secret are inputs to the function (the handshake). The authenticator checks the response, based on its own calculation of what the hash value should be, and if there is a match, the peer is authenticated. This is the default choice and it is considered relatively secure because the secret (or password) is encrypted before it is sent.
- MS-CHAPv2: This is Microsoft's version of CHAP, which differs from standard CHAP in several ways (for example, it uses CHAP Algorithm 0x80, and provides authenticator-control mechanisms for password change and authentication retry). It is also considered weak, since it uses 56-bit DES encryption, which is vulnerable to brute-force attacks using modern hardware, so take that into account.
- Password Authentication Protocol (PAP): The least secure of all the protocols, this authentication protocol transmits unencrypted passwords over the network.
The next section, RADIUS, has a checkbox that allows you to enable RADIUS authentication. If you check this box, then you will have to enter a series of RADIUS options, including server IP address and shared secret. When you are done making changes, click on the Save button.
There is also a Users tab for adding L2TP clients. To add a user, click on this tab and click on the Add button below the table (which lists users already added). The User configuration page is pretty self-explanatory. You enter the username in the Username edit box and the password in the Password edit boxes (the password must be entered twice). The IP Address edit box is optional and you can use it to assign the user a specific IP address. When you are done, click on the Save button.