L2TP VPN configuration on Mac OS X

SonicWall has the functionality to allow remote users to connect to the network behind the SonicWall using L2TP inbuilt client on MAC OS X using IPSEC VPN protocol. This article focuses on configuration of L2TP VPN on MAC OS X clients to connect to SonicWall UTM appliances.

• Configure WAN group VPN on the SonicWall appliance.
• Configure L2TP Server.
• Configure user account.
• Configure L2TP client  on MAC OS X.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Configure WAN group VPN on the SonicWall appliance

• Login to the SonicWall management Interface, click on Network, navigate to IPSec VPN |Rules and Settings.
• Make sure that the Enable VPN and WAN Group VPN check boxes are enabled.
  
  
  

• Click the configure icon for the WAN GroupVPN entry. The VPN policy window is displayed.
• In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. Enter a shared secret in the Shared Secret Field.
     
  
  

• Click the Proposals tab, use the default settings or choose the desired Encryption and Authentication options.
  
  
  

• Click Advanced tab.
  
  Enable Accept Multiple Proposals for Clients checkbox which allows multiple VPN or L2TP clients using different security policies to connect.
  Management via this SA: - Optionally, if you want the Remote users to manage the  SonicWall security appliance, select the management method, either HTTPS, SNMP, SSH.Require Authentication of VPN Clients via XAUTH - So that all the users connecting to he corporate network are authenticated. Unauthenticated traffic will not be allowed on to connect.The Trusted users group is selected by default.
  
  
  
  

• Click the Client tab, select the following settings.
  
  Cache XAUTH User Name and Password on Client : Single session
  Virtual Adapter Settings : DHCP Lease
  Allow Connections to :Split Tunnels
  Set Default Route as this Gateway : Disable
  Use Default Key for Simple Client Provisioning  : Disable (This option if enabled , GVC will not prompt box for pre-shared key).
  
  
  

Configure L2TP Server

• Navigate to Network| IPSec VPN |L2TP Server.
• Enable the L2TP Server. Click Configure.
  
  
  

• Click on L2TP Server Settings
  
  Keep alive time (secs): 60 
  DNS Server 1: (Use internal or your ISP's DNS)
  DNS Server 2: 4.2.2.2 (or use your ISP's DNS)
  DNS Server 3: 8.8.8.8 (or use your ISP's DNS)
  WINS Server 1: 0.0.0.0 (or use your WINS IP)
  WINS Server 2: 0.0.0.0 (or use your WINS IP)
  
  
  

• Click on L2TP User settings
  
  IP address provided by RADIUS/LDAP Server: Disabled
  Use the Local L2TP IP Pool: Enabled
  Start IP: 10.20.0.1 (Example) and End IP: 10.20.0.20 (Example)
  
  
• User Group for L2TP Users: Trusted Users 
  
  
  

• Click on PPP Settings, Select authentication protocols in preferred order.
  
  
  

Configure User Accounts

• Navigate Device|Users|Local Users and Groups, Click Add User.
  
  
  

• Under the settings tab give the desired name and password.
  
  
  

• Go to the Groups Tab , user should be member of Trusted users.
  
  
  

• Navigate to VPN access tab , select the subnet that the user need to access.
  
  
  

• Click Save. For configuration on MAC OS X, please scroll to Configure clients on Mac OS X  section of the KB.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Configure WAN group VPN on the SonicWall appliance

1. Login to the SonicWall management Interface, click on MANAGE , navigate to VPN | Base Settings .
2. Make sure that the Enable VPN and WAN Group VPN check boxes are enabled.
   
   
   
3. Click the configure icon for the WAN GroupVPN entry. The VPN policy window is displayed.
4. In the General tab, IKE using Preshared Secret is the default setting for Aauthentication Method. Enter a shared secret in the Shared Secret Field.
   
   
   
5. Click the Proposals tab, use the default settings or choose the desired Encryption and Authentication options.
   
   
   
6. Click Advanced tab.
   Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows® Network Neighborhood.If your SonicWall appliance is running SonicOS 5.8.0.5 or above,
   Enable Accept Multiple Proposals for Clients checkbox which allows multiple VPN or L2TP clients using different security policies to connect.
   Require Authentication of VPN Clients via XAUTH - So that all the users connecting to he corporate network are authenticated. Unauthenticated traffic will not be allowed on to connect.The Trusted users group is selected by default.
   Management via this SA: - Optionally, if you want the Remote users to manage the  SonicWall security appliance, select the management method, either HTTP or HTTPS.
   
   
   
7. Click the Client tab, select the following settings.
   
   Cache XAUTH User Name and Password on Client : Single session
   Virtual Adapter Settings : DHCP Lease
   Allow Connections to :Split Tunnels
   Set Default Route as this Gateway : Disable
   Use Default Key for Simple Client Provisioning  : Disable
   
8. Click OK.

Configure L2TP Server.

1. Navigate to VPN | L2TP Server.
   Enable the L2TP Server. Click Configure.
   
   
   
2. L2TP Server Settings
   Keep alive time (secs): 60 
   DNS Server 1: (Use internal or your ISP's DNS)
   DNS Server 2: 4.2.2.2 (or use your ISP's DNS)
   DNS Server 3: 8.8.8.8 (or use your ISP's DNS)
   WINS Server 1: 0.0.0.0 (or use your WINS IP)
   WINS Server 2: 0.0.0.0 (or use your WINS IP) 
   
   
   
3. IP address settings
   IP address provided by RADIUS/LDAP Server: Disabled
   Use the Local L2TP IP Pool: Enabled
   Start IP: 10.20.0.1 (Example)
   End IP: 10.20.0.20 (Example)
   
   
4. L2TP Users
   User Group for L2TP Users: Trusted Users
   
   
   
5. Select authentication protocols in preferred order.
   

   NOTE: This has to match with the client.
   

6. Click OK

Configure User Accounts.

1. Select Users |Local Users and Groups.
   
   
   
2. Click Add.
3. Under the settings tab give the desired name and password.
   
   
   
4. Go to the Groups Tab , user should be member of Trusted users.
   
   
   
5. Navigate to VPN access tab , select the subnet that the user need to access.
   
6. Click OK.

Configure clients on Mac OS X

1. Click on System Preferences icon in dock.
   
   
   2. On System Preferences window, under Internet & Network, click Network icon.
   
   
   3. On Network window, click the plus (+) button to create L2TP VPN connection.
   
   
   4. For Interface, select VPN, for VPN Type, select L2TP over IPSec, and for Service Name, type name of your choice. When done, click Create button.
   
    
   5. On Network screen, for Server address, enter the public IP address of SonicWall, and for Account Name, enter user name you created on SonicWall. When done, click on Authentication Settings button.
   
   6. For User Authentication, select password, and enter your account password that was created on SonicWall. For machine authentication, select Shared Secret. When done, click  OK button, then click Advanced button.
   
   
   7. Click Apply button, then to connect to VPN, click on Connect button.
   
   
   8. Once you are connected, you will see Status: Connected, and to disconnect from VPN, simply click disconnect button.
   

NOTE: For issues with unable to access resources please follow: L2TP/IPsec VPN connects but no access to remote LAN network on Mac OS X