Skip to content

VPN Quick Reference

Quick operational guide for VPN setup and diagnostics.

Implemented VPN modes in current t1n1wall

  • IPsec: site-to-site and mobile client capabilities
  • L2TP/IPsec: L2TP remote access protected by IPsec
  • PPTP: available for legacy interoperability

Security posture

  • Prefer IPsec and L2TP/IPsec for new deployments.
  • Treat PPTP as legacy and avoid in new high-security designs.
  • Disable unused VPN modes to reduce attack surface.

Web UI locations

  • VPN > IPsec
  • VPN > L2TP/IPsec and VPN > L2TP/IPsec > Users
  • VPN > PPTP and VPN > PPTP > Users

Baseline for IPsec site-to-site

  1. Local and remote subnets exactly match design.
  2. Phase 1 and Phase 2 proposals align on both peers.
  3. Firewall policy permits intended tunneled traffic.
  4. Time/NTP is correct on both peers.
  5. No overlapping subnet design.

Baseline for L2TP/IPsec remote access

  1. L2TP/IPsec mode is enabled.
  2. Client pool (remoteip range) and server tunnel address are correct.
  3. User credentials are present in L2TP users.
  4. Pre-shared key and policy match client settings.
  5. Firewall rules allow intended access from l2tp client network.

Baseline for PPTP remote access (legacy)

  1. PPTP mode is enabled and user credentials exist.
  2. GRE and TCP/1723 path is reachable from clients.
  3. Firewall rules allow intended access from pptp client network.
  4. Use only when compatibility requires it.

Frequent failure causes

  • Time/NTP drift (especially for IPsec/L2TP-IPsec)
  • Identifier/key/certificate mismatch
  • Phase2 subnet mismatch
  • Missing route or policy on one side
  • VPN pool subnet overlaps LAN/WAN subnets

Validation workflow

  1. Confirm tunnel/session establishes.
  2. Test reachability to one remote host.
  3. Test one application protocol.
  4. Confirm logs and states match observed behavior.