L2TP VPN configuration on Mac OS X

03/16/2023 431 People found this article helpful 521,943 Views

Description

SonicWall has the functionality to allow remote users to connect to the network behind the SonicWall using L2TP inbuilt client on MAC OS X using IPSEC VPN protocol. This article focuses on configuration of L2TP VPN on MAC OS X clients to connect to SonicWall UTM appliances.

Resolution

Configure WAN group VPN on the SonicWall appliance.
Configure L2TP Server.
Configure user account.
Configure L2TP client on MAC OS X.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Configure WAN group VPN on the SonicWall appliance

Login to the SonicWall management Interface, click on Network, navigate to IPSec VPN |Rules and Settings.
Make sure that the Enable VPN and WAN Group VPN check boxes are enabled.

Click the configure icon for the WAN GroupVPN entry. The VPN policy window is displayed.
In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. Enter a shared secret in the Shared Secret Field.

Click the Proposals tab, use the default settings or choose the desired Encryption and Authentication options.

Click Advanced tab.

Enable Accept Multiple Proposals for Clients checkbox which allows multiple VPN or L2TP clients using different security policies to connect.
Management via this SA: - Optionally, if you want the Remote users to manage the SonicWall security appliance, select the management method, either HTTPS, SNMP, SSH.Require Authentication of VPN Clients via XAUTH - So that all the users connecting to he corporate network are authenticated. Unauthenticated traffic will not be allowed on to connect.The Trusted users group is selected by default.

Click the Client tab, select the following settings.

Cache XAUTH User Name and Password on Client : Single session
Virtual Adapter Settings : DHCP Lease
Allow Connections to :Split Tunnels
Set Default Route as this Gateway : Disable
Use Default Key for Simple Client Provisioning : Disable (This option if enabled , GVC will not prompt box for pre-shared key).

Configure L2TP Server

Navigate to Network| IPSec VPN |L2TP Server.
Enable the L2TP Server. Click Configure.

Click on L2TP Server Settings

Keep alive time (secs): 60
DNS Server 1: (Use internal or your ISP's DNS)
DNS Server 2: 4.2.2.2 (or use your ISP's DNS)
DNS Server 3: 8.8.8.8 (or use your ISP's DNS)
WINS Server 1: 0.0.0.0 (or use your WINS IP)
WINS Server 2: 0.0.0.0 (or use your WINS IP)

Click on L2TP User settings

IP address provided by RADIUS/LDAP Server: Disabled
Use the Local L2TP IP Pool: Enabled
Start IP: 10.20.0.1 (Example) and End IP: 10.20.0.20 (Example)
User Group for L2TP Users: Trusted Users

Click on PPP Settings, Select authentication protocols in preferred order.

Configure User Accounts

Navigate Device|Users|Local Users and Groups, Click Add User.

Under the settings tab give the desired name and password.

Go to the Groups Tab , user should be member of Trusted users.

Navigate to VPN access tab , select the subnet that the user need to access.

Click Save. For configuration on MAC OS X, please scroll to Configure clients on Mac OS X section of the KB.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Configure WAN group VPN on the SonicWall appliance

Login to the SonicWall management Interface, click on MANAGE , navigate to VPN | Base Settings .
Make sure that the Enable VPN and WAN Group VPN check boxes are enabled.
Click the configure icon for the WAN GroupVPN entry. The VPN policy window is displayed.
In the General tab, IKE using Preshared Secret is the default setting for Aauthentication Method. Enter a shared secret in the Shared Secret Field.
Click the Proposals tab, use the default settings or choose the desired Encryption and Authentication options.
Click Advanced tab.
Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows® Network Neighborhood.If your SonicWall appliance is running SonicOS 5.8.0.5 or above,
Enable Accept Multiple Proposals for Clients checkbox which allows multiple VPN or L2TP clients using different security policies to connect.
Require Authentication of VPN Clients via XAUTH - So that all the users connecting to he corporate network are authenticated. Unauthenticated traffic will not be allowed on to connect.The Trusted users group is selected by default.
Management via this SA: - Optionally, if you want the Remote users to manage the SonicWall security appliance, select the management method, either HTTP or HTTPS.
Click the Client tab, select the following settings.

Cache XAUTH User Name and Password on Client : Single session
Virtual Adapter Settings : DHCP Lease
Allow Connections to :Split Tunnels
Set Default Route as this Gateway : Disable
Use Default Key for Simple Client Provisioning : Disable
Click OK.

Configure L2TP Server.

Navigate to VPN | L2TP Server.
Enable the L2TP Server. Click Configure.
L2TP Server Settings
Keep alive time (secs): 60
DNS Server 1: (Use internal or your ISP's DNS)
DNS Server 2: 4.2.2.2 (or use your ISP's DNS)
DNS Server 3: 8.8.8.8 (or use your ISP's DNS)
WINS Server 1: 0.0.0.0 (or use your WINS IP)
WINS Server 2: 0.0.0.0 (or use your WINS IP)
IP address settings
IP address provided by RADIUS/LDAP Server: Disabled
Use the Local L2TP IP Pool: Enabled
Start IP: 10.20.0.1 (Example)
End IP: 10.20.0.20 (Example)
L2TP Users
User Group for L2TP Users: Trusted Users
Select authentication protocols in preferred order.
NOTE: This has to match with the client.

6. Click OK

Configure User Accounts.

Select Users |Local Users and Groups.
Click Add.
Under the settings tab give the desired name and password.
Go to the Groups Tab , user should be member of Trusted users.
Navigate to VPN access tab , select the subnet that the user need to access.
Click OK.

Configure clients on Mac OS X

Click on System Preferences icon in dock.

2. On System Preferences window, under Internet & Network, click Network icon.

3. On Network window, click the plus (+) button to create L2TP VPN connection.

4. For Interface, select VPN, for VPN Type, select L2TP over IPSec, and for Service Name, type name of your choice. When done, click Create button.

5. On Network screen, for Server address, enter the public IP address of SonicWall, and for Account Name, enter user name you created on SonicWall. When done, click on Authentication Settings button.

6. For User Authentication, select password, and enter your account password that was created on SonicWall. For machine authentication, select Shared Secret. When done, click OK button, then click Advanced button.

7. Click Apply button, then to connect to VPN, click on Connect button.

8. Once you are connected, you will see Status: Connected, and to disconnect from VPN, simply click disconnect button.