5.
Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule
6.
Enter a name for the rule, for example NATL2TP
7.
Now enter:
•
Action: NAT
•
Service: all_services
•
Source Interface: l2tp_tunnel
•
Source Network: l2tp_pool
•
Destination Interface: wan
•
Destination Network: all-nets
8.
Click OK
IPsec Tunnels with Transport Mode
The encapsulation mode of the IPsec tunnel in the example above is set to Transport for L2TP
and this is the recommended setting. Windows™ clients will only function with transport mode.
With transport mode, the following should be noted:
•
IKEv2 only works when using Tunnel Mode for IPsec encapsulation. Therefore, IKEv1 must be
used with L2TP.
•
When using transport mode with IKEv1, only the Local Endpoint and Remote Endpoint
properties of the IPsec Tunnel object are used by NetDefendOS for tunnel setup. The Local
Network and Remote Network properties are ignored.
•
The Add route statically setting should be disabled. It should be enabled only if the
administrator has an in-depth understanding of how this setting functions with transport
mode.
•
If Add route statically is enabled with transport mode and the OutgoingRoutingTable is
set to the same routing table as the RoutingTable, NetDefendOS will give a warning
message and disable Add route statically automatically.
The reason for this is that if it is allowed, IKE/ESP traffic will be routed into its own tunnel after
tunnel establishment. This means that a traffic loop will be created so that no ESP/IKE packets
will get sent to the tunnel's remote endpoint.
9.5.3. L2TP/PPTP Server Advanced Settings
The following L2TP/PPTP server advanced settings are available to the administrator:
L2TP Before Rules
Pass L2TP traffic sent to the NetDefend Firewall directly to the L2TP Server without consulting
the rule set.
736
Chapter 9: VPN