Skip to content

L2TP with PSK (Windows)


Before you start

The IPsec and L2TP features must be enabled on your AXS Guard appliance. Verify that the IPsec server is configured to accept proposed client IPs. Go to Authentication > Services to configure the L2TP authentication policy. Ensure that users are allowed to use the L2TP service. See the L2TP how to for additional information.

L2TP and NAT-Traversal

By default, Windows Vista, 7 and 8 and the Windows Server 2008 operating systems do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network (VPN) server is behind a NAT device, a Windows Vista-based VPN client computer or a Windows Server 2008-based VPN client computer cannot make a Layer Two Tunneling Protocol (L2TP)/IPsec connection to the VPN server.

However, if you have to put a server behind a NAT device and then use an IPsec NAT-T environment, you can enable communication by changing a registry value on the VPN client computer. See the official Microsoft Documentation for additional information.

Security Precautions

  • Generate a different PSK for each VPN tunnel.

  • Use a password generator for the creation of your PSKs.

  • Generate long PSKs with at least 30 characters to resist brute-force attacks.

  • Send the PSK to your peer via a secure channel, such as an encrypted e-mail.

  • Enforce strong authentication for the L2TP service, e.g. DIGIPASS authentication.

L2TP Tunnel Configuration

  1. Go to VPN > IPsec > Tunnels

  2. Select the predefined L2TP tunnel.

  3. Click on the "Edit as new" button.

  4. Enter the settings as shown in the screenshots below.

Phase 1

Phase 1 Settings

Phase 2

Phase 2 Settings

Enable the Tunnel

Tunnel Overview

Client Configuration

Configure the L2TP connection settings as follows:



Advanced Properties

Enter the pre-shared key of the AXS Guard L2TP tunnel.