• Set Inner IP Address to ip_int.• Set Tunnel Protocol to L2TP.• Set Outer Interface Filter to ipsec_tunnel.• Set Outer Server IP to ip_ext.• Select the Microsoft Point-to-Point Encryption allowed. Since IPsec encryption is usedthis can be set to be None only, otherwise double encryption will degrade throughput.• Set IP Pool to l2tp_pool.• Enable Proxy ARP on the int interface to which the internal network is connected.• Make the interface a member of a specific routing table so that routes are automaticallyadded to that table. Normally the main table is selected.6. For user authentication:• Define a Local User DB object (let's call this object TrustedUsers).• Add individual users to TrustedUsers. This should consist of at least a username andpassword combination.The Group string for a user can also be specified. This is explained in the same step in theIPsec Roaming Clients section above.• Define a User Authentication Rule:Agent Auth Source Src Network Interface Client Source IPPPP Local all-nets l2tp_tunnel all-nets (0.0.0.0/0)7. To allow traffic through the L2TP tunnel the following rules should be defined in the IP ruleset:Action Src Interface Src Network Dest Interface Dest Network ServiceAllow l2tp_tunnel l2tp_pool any int_net AllNAT ipsec_tunnel l2tp_pool ext all-nets AllThe second rule would be included to allow clients to surf the Internet via the ext interface on theD-Link Firewall. The client will be allocated a private internal IP address which must be NATed ifconnections are then made out to the public Internet via the D-Link Firewall.8. Set up the client. Assuming Windows XP, the Create new connection option in NetworkConnections should be selected to start the New Connection Wizard. The key information toenter in this wizard is: the resolvable URL of the D-Link Firewall or alternatively its ip_ext IPaddress.Then choose Network > Properties. In the dialog that opens choose the L2TP Tunnel andselect Properties. In the new dialog that opens select the Networking tab and choose Force toL2TP. Now go back to the L2TP Tunnel properties, select the Security tab and click on theIPsec Settings button. Now enter the pre-shared key.9.2.6. L2TP Roaming Clients with CertificatesIf certificates are used with L2TP roaming clients instead of pre-shared keys then the differences in9.2.6. L2TP Roaming Clients withCertificatesChapter 9. VPN329
