Article Applies To:

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.

Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless

Firmware/Software Version: All SonicOS Enhanced versions.
Services: L2TP


Configuring L2TP Server on SonicOS Enhanced


This document explains how to configure L2TP Client access to the SonicWALL WAN GroupVPN SA using the built-in L2TP Server and Microsoft's L2TP VPN Client


This guide is for SonicOS Enhanced firmware on Gen 4 and Gen 5 appliances


The suggested configuration was confirmed to work with Microsoft Windows XP Service Pack 2 (SP2), Vista Ultimate, and Vista Home 

1) Go to VPN > Settings and enable the WAN GroupVPN policy. The default policy settings are OK to use, but the Shared Secret will

       be needed for the client policy configuration


If your SonicWALL appliance is running SonicOS or above, enable the  Accept Multiple Proposals for Clients checkbox which allows multiple VPN or L2TP clients using different security policies to connect.


2) Go to VPN > L2TP Server

I. Enable the L2TP Server. Click 'Configure'
II. L2TP Server Settings
Keep alive time (secs): 60
DNS Server 1: (Use internal or your ISP's DNS)
DNS Server 2: (or use your ISP's DNS)
DNS Server 3: (or use your ISP's DNS)
WINS Server 1: (or use your WINS IP)
WINS Server 2: (or use your WINS IP)
III. IP Address Settings
IP address provided by RADIUS/LDAP Server: Disabled
Use the Local L2TP IP Pool: Enabled
IV. L2TP Users
User Group for L2TP Users: 'Trusted Users'




3) Go to Network > NAT Policies

SonicOS Enhanced will automatically add the following NAT policy.

You may manually add this NAT policy if not auto-added.

I. Add a NAT Policy with these settings:
Original: 'L2TP IP Pool'
Translated: 'WAN Primary IP'
Original: 'Any'
Translated: 'Original'
Original: 'Any'
Translated: 'Original'
Inbound: 'Any'
Outbound: 'WAN' or 'X1'
Comment: L2TP Outbound NAT
Enable NAT Policy: Enabled
Create a reflexive policy: Disabled 




4) Go to Firewall > Access Rules and select VPN to WAN and Add the following rule.

Click Add  to add a new firewall rule with the following settings:
Action: Allow
Service: Any
Source: WAN RemoteAccess Networks
Destination: Any
Users Allowed: All
Schedule: Always on
Comment: L2TP Internet access



The SNWL portion of the configuration is complete.

L2TP setup on the Client computer:

This next steps are performed on a workstation running Microsoft Windows XP Professional, Service Pack 2:


1) Go to the Control Panel

2) Go to Network Connections

3) Open the New Connection Wizard. Click Next.

4) Choose "Connect to the network at my workplace." Click Next.

5) Choose "Virtual Private Network Connection." Click Next.

6) Enter a name for your VPN connection. Click Next.

7) Enter the Public (WAN) IP address of the SNWL. Alternatively, you can use a domain name that points to the SNWL. Click Next, then click Finish. The connection window will appear. Click Properties.

8) Go to the Security tab. Click on "IPSec Settings". Enable "Use pre-shared key for authentication". Enter your pre-shared secret. Click OK.


9) Go to the Networking tab. Change "Type of VPN" from "Automatic" to "L2TP IPSec VPN". Click OK.


10) Enter your XAUTH username and password. Click Connect.


Once the connection has been established, Internet access should be available. Access to the internal network will also be available.