Teleworker VPN - L2TP over IPsec (2024)

The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.

The DrayTek Smart VPN Client software is free for use and can use all protocols that the DrayTek routers currently support such as PPTP, IPsec, L2TP over IPsec and SSLVPN protocols (depending on router model).

In this example, the Smart VPN Client will be used to make an L2TP over IPsec VPN connection to a DrayTek router. We recommend L2TP is always used with IPSec if the traffic is sensitive or transmitted unencrypted because L2TP on it's own does not provide encryption. With an L2TP over IPsec VPN connection, the IPsec negotiation of the VPN uses the same pre-shared key for all users and the L2TP portion allows each user to have a unique username and password.

To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:

Set up the profile to acceptL2TP with IPsec Policy connections, set the requirement of that to Must so that users can only connect if going through IPsec to ensure that it's encrypted.

Enable the profile, enter a suitable Username to for the account and set the Password for the account:

Click OK on that page to save the settings for that profile, then go to [VPN and Remote Access] > [IPsec General Setup] to set thePre-Shared Key for the VPN connection - that needs to be entered twice to ensure that it's entered correctly.

On this page, it's also possible to select which security types are enabled for teleworker VPN connections, in this example, only AES is selected:

Click OK on that page to save the settings.

Creating an L2TP over IPsec Tunnel VPN in Windows requires the Windows Firewall to function. The DrayTek Smart VPN Client automatically configures and secures the necessary Windows Firewall policy settings when establishing the tunnel. If the Windows Firewall is disabled, the Smart VPN Client will attempt to establish the IPsec portion of the tunnel and will give an error when it cannot establish the L2TP portion of the VPN tunnel.

Open the DrayTek Smart VPN Client and click Insert to create a new VPN profile:

That will open a new window to configure the VPN settings:

In the new profile, set the Profile Name if necessary. In this example, the type of VPN is L2TP over IPsec, the address or host name of the VPN server needs to be specified in the VPN Server IP/Host Name field and the Username that will be used in the VPN profile should be set in the User Name field, enter the password for the VPN in the Password field.

The Use default gateway on remote network setting is used to set whether all traffic including internet traffic will go through the VPN, if it is ticked, all traffic will go through the VPN, if it is unticked, the VPN will only be used for accessing the remote network.

Click OK to save that and a window for L2TP over IPsec setup will appear:

Set the Pre-Shared Key for the connection first of all, the other settings to note are the Security Method settings, this defaults to Medium(AH) mode which is not encrypted, set this to High(ESP) and select a suitable security method from the list, in this example, AES128 with SHA1 will be used.

The VPN client will get an IP address from the remote network automatically but this can be specified in the VPN client using the Manually get IP address & DNS server setting.

Click OK to save the settings for the VPN connection.

It is now possible to connect the VPN, select the profile from the list on the main window and click the Connect button:

That will pop-up a window to enter the User Name and Password settings, the username and password were configured in the profile so should already be configured. The Pre-Shared Key setting is also shown and can be changed if required:

Click OK and the VPN will start to connect.

Once the VPN is connected, the main window will show the status of this at the bottom of the window. It will also show the status in the computer's System Tray, which can be used to disconnect the VPN if necessary.

When connected, the VPN status can be viewed on the router in the [VPN and Remote Access] > [Connection Management] section, which will display the connecting IP, the local IP it has been assigned and the protocol that it is using:

How do you rate this article?

Add a comment to this article

NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.