Creating an internal L2TP VPN connection

Note: We recommend that you limit any zone bridging from the nominated interface to other interfaces. Tunnels connecting to the nominated additional interface are assigned an IP address on the L2TP internal interface, as shown in the L2TP settings region. If a zone bridge is created between the additional nominated interface and the L2TP interface, it means that the VPN can be circumvented. Therefore, it limits its usefulness.


  • Configure the L2TP settings:
    1. On the NETWORK menu, under the VPN submenu, click Global.
    2. Under the L2TP settings section, from the L2TP client internal interface list, select an internal network interface.
    3. For further VPN settings, click Advanced ».
      1. Under the Advanced section, to turn on a keep-alive mechanism on tunnels that support it, select the Enable Dead Peer Detection option.
      2. To copy TOS bits into the tunnel from the outside as VPN traffic is received, and conversely in the other direction, select the Copy TOS (Type of Service) bits in and out of tunnels option.
    4. Click Save.
  • Create a certificate for the L2TP client, see our help topic, Importing and creating certificates.


  1. On the NETWORK menu, under the VPN submenu, click L2TP road warriors.
  2. Under the Create new tunnel section, enter a meaningful Name for this tunnel.
  3. From the Local IP list, select the external IP address to use for this tunnel.
  4. Enter the Client IP address for this connection.
  5. Enter the Username and Password for this connection.
  6. From the Authenticate by list, to dedicate this connection to a specific user, choose the user’s certificate from the list, to allow any valid certificate holder to use this tunnel, choose Certificate presented by peer. If your organization anticipates supporting many road warrior connections, we recommend that you authenticate by a specific certificate for easier management.
  7. From the L2TP client OS list, select the L2TP client's operating system.
  8. Click Advanced » and, from the Local certificate list, select Default.
  9. Click Add.

Follow-up task

  • To configure client access to the L2TP tunnel, refer to your Microsoft Windows documentation.