SONICWALL防火墙 L2TP ***配置方法



在经过多次的SonicWALL 防火墙调试的实际案例中,部分客户对L2TP***的技术问题要求比较多,根据我们的经验,特别罗列出SonicWALL防火墙L2PT***的配置方法,仅供参考。


This document explains how to configure L2TP Client access to the SonicWALL Group*** SA using the built-in L2TP Server and Microsoft's L2TP *** Client. Access will be granted to the LAN behind the SonicWALL security appliance for L2TP client users, and all Internet traffic for these users will also be routed through the *** tunnel. This is not a split tunnel configuration. This guide is for SonicOS Enhanced 2.x, 3.x, 4.x and 5.x firmware. The guide is intended for Microsoft Windows XP Service Pack 2 (SP2) users. Non-SP 2 or SP1 users may not be able to use this guide, as Microsoft has recently updated the L2TP client.

SonicWALL Appliance Configuration

Follow these steps to configure the SonicWALL security appliance to accept the L2TP connection:

Step 1: Select Network > Address Objects.

Step 2: Add the following address object:

  • Name: 'L2TP Subnet'
  • Type: Network
  • Network: (The Class C network address of your L2TP Pool)
  • Netmask:
  • Zone Assignment: *** 

Step 3: Select Users > Settings and make the following configuration change:

  • Authentication Method: RADIUS + Local Users

Step 4: Select *** > L2TP Server, enable the L2TP Server, click Configure and set the options as follows:

  • Keep alive time (secs): 60
  • DNS Server 1: (or use your ISP's DNS)
  • DNS Server 2: (or use your ISP's DNS)
  • DNS Server 3: (or use your ISP's DNS)
  • WINS Server 1: (or use your WINS IP)
  • WINS Server 2: (or use your WINS IP)
  • IP address provided by RADIUS/LDAP Server: Disabled
  • Use the Local L2TP IP Pool: Enabled
  • Start IP: *EXAMPLE*
  • End IP: *EXAMPLE* Note: Use any unique private range.
  • User Group for L2TP Users: Trusted Users or Everyone

Step 5: Select Users > Local Users.

Step 6: Add a user and add these objects to the *** Access list:

  • L2TP Subnet
  • WAN RemoteAccess Networks
  • LAN Primary IP
  • LAN Subnets

NOTE: Alternatively, you can add these networks to the Everyone or Trusted Users Group. Also, add any other Address Objects to which you require access.

Step 7: Select Network > NAT Policies and add a NAT Policy with these settings:

  • Original Source: L2TP Subnet
  • Translated Source: WAN Primary IP
  • Original Destination: Any
  • Translated Destination: Original
  • Original Service: Any
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: WAN or X1
  • Comment: L2TP Client NAT
  • Enable NAT Policy: Enabled
  • Create a reflexive policy: Disabled

Step 8: Select *** > Settings and configure the WAN Group*** policy with the following settings:

General tab:
  • Enter a Shared Secret.
Proposals tab:
  • IKE (Phase 1) Proposal
  • DH Group: Group 2
  • Encryption: 3DES
  • Authentication: SHA1
  • Life Time (seconds): 28800
  • IPSec (Phase 2) Proposal
  • Protocol: ESP
  • Encryption: 3DES
  • Authentication: SHA1
  • Enable Perfect Forward Secrecy (PFS): Disabled (Optional)
  • DH Group: Disabled (Not applicable if PFS is disabled)
  • Life Time (seconds): 28800
Advanced tab:
  • Enable Windows Network (NetBIOS) Broadcast: Enabled (Optional)
  • Enable Multicast: Disabled (Optional)
  • Management via this SA:
  • HTTP: Enabled (Optional)
  • HTTPS: Enabled (Optional)
  • Default LAN Gateway: Public (WAN) IP of the SonicWALL.
  • Require Authentication of *** Clients via XAUTH: Enabled
  • User Group for XAUTH Users: Trusted Users or Everyone
  • Allow Unauthenticated *** Client Access: Disabled
Client tab:
  • Cache XAUTH User Name and Password on Client: Always
  • Virtual Adapter settings: DHCP Lease
  • Allow Connections to: "This Gateway only" or "All Secured Gateways" (if you need access to site-to-site ***'s).
  • Set Default Route as this Gateway: Enabled
  • Require Global Security Client for this Connection: Disabled
  • Use Default Key for Simple Client Provisioning: Disabled

Step 9: Select *** > DHCP over ***, choose Central Gateway, click Configure and make the following adjustments:

  • Use Internal DHCP Server: Enabled
  • For Global *** Client: Enabled
  • For Remote Firewall: Disabled
  • Send DHCP requests to the server address listed below: Disabled
  • Relay IP Address (Optional):

Step 10: Select Firewall > Access Rules and Add this *** to WAN rule:

  • From Zone: ***
  • To Zone: WAN
  • Source: WAN Remote Access Networks
  • Destination: Any
  • Service: Any
  • Action Allow
  • Users: All


  • Microsoft Windows XP Service Pack (SP) 2 L2TP clients will not be able to connect with the SonicWALL’s L2TP server if the appliance is behind a NAT device. See the Microsoft Knowledge Base article 885407 entitled The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2 for a System Registry modification that reverses this situation.
  • The L2TP client in Windows XP Service Pack 2 utilizes an updated NAT Traversal implementation (NAT-T v2) which is not currently supported on SonicOS Standard firmware.

The SonicWALL portion of the configuration is complete.

L2TP Client Configuration

Follow these steps to configure the L2TP client on Microsoft Windows XP Professional, Service Pack 2:

  1. Go to the Control Panel.
  2. Go to Network Connections.
  3. Open the New Connection Wizard. Click Next.
  4. Choose "Connect to the network at my workplace." ClickNext.
  5. Choose "Virtual Private Network Connection." Click Next.
  6. Enter a name for your *** connection. Click Next.
  7. Enter the Public (WAN) IP address of the SonicWALL. Alternatively, you can use a domain name that points to the SonicWALL. Click Next, then click Finish. The connection window will appear. Click Properties.
  8. Go to the Security tab. Click on "IPSec Settings". Enable "Use pre-shared key for authentication". Enter your pre-shared secret. Click OK.
  9. Go to the Networking tab. Change "Type of ***" from "Automatic" to "L2TP IPSec ***". Click OK.
  10. Enter your XAUTH username and password. Click Connect.

Once the connection has been established, Internet access should be available. Access to the internal network will also be available.