How to configure L2TP VPN with Android Mobile Devices

Zyxel_Charlie
Zyxel_Charlie Posts: 1,034
50 Answers 500 Comments Friend Collector Fourth Anniversary
 Zyxel Employee
edited June 29 in VPN
The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet.
Topology:
 
Note:
All network IP addresses and subnet masks are used as examples in this article.  
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG310 (Firmware Version: 4.13) and Android version (Firmware Version: 5.0)
 

Step

Step 1: Set Up the L2TP VPN Tunnel on the ZyWALL/USG

1. In the ZyWALL/USG, go to CONFIGURATION > Quick Setup > VPN Setup Wizard, use the VPN Settings for L2TP VPN Settings wizard to create a L2TP VPN rule that can be used with the remote Android Mobile Devices. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
 
2. Then, configure the Rule Name and set My Address to be the wan1 interface which is connected to the Internet. Type a secure Pre-Shared Key (8-32 characters).
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings
 
3. Assign the remote users IP addresses range from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel and check Allow L2TP traffic Through WAN to allow traffic from L2TP clients to go to the Internet. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (L2TP VPN Settings)
 
4. This screen provides a read-only summary of the VPN tunnel. Click Save.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings (Summary)
 
5. Now the rule is configured on the ZyWALL/USG. The rule settings appear in the VPN > L2TP VPN screen. Click Close to exit the wizard.
Quick Setup > VPN Setup Wizard > Welcome > VPN Settings > Wizard Completed
 
6. Go to CONFIGURATION > VPN > L2TP VPN > Create new Object > User to add User Name and Password (4-24 characters). Then, set Allowed User to the newly created object (L2TP_Remote_Users/zyx168 in this example).
CONFIGURATION > VPN > L2TP VPN > Create new Object > User
Configure the L2TP VPN
 
7. If some of the traffic from the L2TP clients need to go to the Internet, create a policy route to send traffic from the L2TP tunnels out through a WAN trunk. Set Incoming to Tunnel and select your L2TP VPN connection. Set the Source Address to be the L2TP address pool. Set the Next-Hop Type to Trunk and select the appropriate WAN trunk.
CONFIGURATION > Network > Routing > Policy Route
 
Tagged:

Comments

  • Hi i tried this tuto, never worked, and tried other tutorials too, I didn't found a solution to connect via l2tp, can you pleas help me, I did exactly the way you explained 
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 338
    25 Answers First Comment Friend Collector First Anniversary
     Master Member

    Can you provide your device config file to us via private message for further investigation?

  • anno_t34
    anno_t34 Posts: 12
    Friend Collector
     Freshman Member
    edited December 2021
    Could you provide a USEFUL documentation, instead of spreading the same misleading documentation, like this one.

    Just read the first paragraph of this tutorial:

    "The example instructs how to configure the VPN tunnel between each site. When the VPN tunnel is configured, each site can be accessed securely and allow traffic from L2TP clients to go to the Internet."

    What a nonsense!

    Have a look at the picture above. Is the "Networking Pool" on the other side of the tunnel, on the "Android Device"? Really?

    The old saying RTFM does apply only if the FM are correct and well written, which unfortunately for zywall manuals, since Zywall 2 if i remember, is not the case.

    Regards,
    A.


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 338
    25 Answers First Comment Friend Collector First Anniversary
     Master Member

    Hi @anno_t34

     

    Thanks for your suggestion.

    We had corrected this title to “How to configure L2TP VPN with Android Mobile Devices”

    You can refer to our latest handbook of P.242~253.

    https://download.zyxel.com/ATP500/handbook/ATP500_ZLD5.10_Handbook.pdf

    BTW, "Networking Pool” means the L2TP client's IP address pool.


  • anno_t34
    anno_t34 Posts: 12
    Friend Collector
     Freshman Member
    1. Title "IPSec/L2TP Connection: RemoteClient to Site (zywall Server Role).
    2. Enumerate the requirements for implementing the connection.
    2.1 : Server Side requirements, includes ISP services.
    2.3 : Client Side requirements, includes ISP services.

    Can you build an IPSec/L2TP VPN Connection from a client device which is behind a firewall, that filters IPSec/L2TP protocols?

    Can you build an IPSec/L2TP VPN Connection to a VPN Server which is NAT'ed by the ISP (private NAT or CGNAT, out of your control?

    How can you build an IPSec/L2TP VPN connection, if the VPN Server has a dynamic public IP address?

    Anyway, establishing an IPSec/L2TP channel per se has no value. What matters is a full case scenario, that describes ALL steps including the implementation of the required firewall security policies, troubleshooting methods, etc.

    From the tutorial above, you can get the impression, that configuring a VPN connection is a piece of cake, which is not. Securing one is another story.

    I made this picture, that should provide a more realistic view of the landscape. Feel free to correct me, if I'm wrong.

    Regards,
    A.



  • Zyxel_Jeff
    Zyxel_Jeff Posts: 338
    25 Answers First Comment Friend Collector First Anniversary
     Master Member

    Thanks for your suggestion. 
    We will enhance the contents of the technical document for L2TP behind NAT scenarios in the future.