Hello, can some, please, explain me the sense of adding members button on the l2tp vpn settings on xg firewall? The l2tp (remote access) section, allows for the creation of multiple profiles each with its own PSK or digital certifcate. How do they go together? I'm using v18 mr4 and, If I set a PSK on an l2tp profile, the PSK in the 'IPSEC (Remote access)' is replaced by this.
This isn’t a bug, basically, you are building SA, once you add a wildcard tunnel (*) (By default L2TP shows this) it isn’t possible for the XG to differentiate the tunnels anymore…
Thank you for reaching out to the Community!
Adding the member from the VPN setting > L2TP > Add members will turn on L2TP VPN for that user. By default, it’s turned off.
You can configure a new profile with the digital certificate authentication but not on the same interface. You could configure the alias interface and use it with the new profile on the second WAN connection.
The PSK configured for the IPsec(Remote Access) won’t be replaced by the L2TP.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Hello, thank you for replying. Actually I discovered that acting on l2tp psk will affect ipsec remote access psk. I think this is a bug. You can easily reproduce behaviour.
This isn’t a bug, basically, you are building SA, once you add a wildcard tunnel (*) (By default L2TP shows this) it isn’t possible for the XG to differentiate the tunnels anymore, you can test this by adding in an IPsec tunnel for Remote Gateway Address (*) it would give you a warning that it will update all of the tunnels with this PSK.
However, in future releases, you would be able to use identities (Remote/Local), which should solve this problem.
On IPsec tunnels, you can mitigate also this by using certificates.