Dynamic search > >
UK Sales: 0330 1340 230

Apple iPad and iPhone VPN Connection to SonicWall Firewall

Please note that this document was written many years ago before SonicWall launched an Apple iPhone/iPad/iPod VPN application called Mobile Connect for iOS. This software is compatible with all SonicWall firewalls that support SSL-VPN, and is a free download from the official Apple AppStore here.

Concurrent connections are licenced through the UTM SSL VPN User Licence.

L2TP Server configuration on the SonicWall Appliance

Follow these steps to configure the SonicWall security appliance to accept the L2TP connection:

Step 1: Select Network > Address Objects

Step 2: Add the following address object:

· Name: 'L2TP Subnet'
· Type: Network
· Network: (The Class C network address of your L2TP Pool)
· Netmask:
· Zone Assignment: VPN

Step 3: Select Users > Settings and make the following configuration change:

  • Authentication Method: RADIUS + Local Users

Step 4: Select VPN > L2TP Server, enable the L2TP Server, click Configure and set the options as follows:

a· Keep alive time (secs): 60
b· DNS Server 1: (or use your ISP's DNS)
c· DNS Server 2: (or use your ISP's DNS)
d· DNS Server 3: (or use your ISP's DNS)
e· WINS Server 1: (or use your WINS IP)
f· WINS Server 2: (or use your WINS IP)
g· IP address provided by RADIUS/LDAP Server: Disabled
h· Use the Local L2TP IP Pool: Enabled
i· Start IP: *EXAMPLE*
j· End IP: *EXAMPLE* Note: Use any unique private range.
k· User Group for L2TP Users: Trusted Users or Everyone

Step 5: Select Users > Local Users

Step 6: Add a user and add these objects to the VPN Access list:

a· L2TP Subnet
b· WAN RemoteAccess Networks
c· LAN Subnets

NOTE: Alternatively, you can add these networks to the Everyone or Trusted Users Group. Also, add any other Address Objects to which you require access.

Step 7: Select Network > NAT Policies and add a NAT Policy with these settings:

a· Original Source: L2TP Subnet
b· Translated Source: WAN Primary IP (X1 IP) - we have X2 as primary WAN
c· Original Destination: Any
d· Translated Destination: Original
e· Original Service: Any
f· Translated Service: Original
g· Inbound Interface: Any
h· Outbound Interface: WAN or X1 - we have X2 as primary WAN
i· Comment: L2TP Client NAT
j· Enable NAT Policy: Enabled
k· Create a reflexive policy: Disabled

Step 8: Select VPN > Settings and configure the WAN GroupVPN policy with the following settings:
General tab:

  • Enter a Shared Secret.

Proposals tab:

a· IKE (Phase 1) Proposal
b· DH Group: Group 2
c· Encryption: 3DES
d· Authentication: SHA1
e· Life Time (seconds): 28800
f· IPSec (Phase 2) Proposal
g· Protocol: ESP
h· Encryption: 3DES
i· Authentication: SHA1
j· Enable Perfect Forward Secrecy (PFS): Disabled (Optional)
k· DH Group: Disabled (Not applicable if PFS is disabled)
l· Life Time (seconds): 28800

*** Please note that some iOS updates require the Encryption to be AES 256

Advanced tab:

  • Enable Windows Network (NetBIOS) Broadcast: Disabled (Optional)
  • Enable Multicast: Disabled (Optional)
  • Management via this SA:
  • HTTP: Disabled (Optional)
  • HTTPS: Enabled (Optional)
  • Default Gateway:
  • Require Authentication of VPN Clients via XAUTH: Enabled
  • User Group for XAUTH Users: Trusted Users or Everyone
  • Allow Unauthenticated VPN Client Access: Disabled

Client tab:

a· Cache XAUTH User Name and Password on Client: Always
b· Virtual Adapter settings: DHCP Lease
c· Allow Connections to: "This Gateway only" or "All Secured Gateways" (if you need access to site-to-site VPN's).
d· Set Default Route as this Gateway: Disabled
e· Use Default Key for Simple Client Provisioning: Disabled

Step 9: Select VPN > DHCP over VPN, choose Central Gateway, click Configure and make the following adjustments:

  • Use Internal DHCP Server: Enabled
  • For Global VPN Client: Enabled
  • For Remote Firewall: Disabled
  • Send DHCP requests to the server address listed below: Disabled
  • Relay IP Address (Optional):

Step 10: Select Firewall > Access Rules and Add this VPN to WAN rule:

a· From Zone: VPN
b· To Zone: WAN
c· Source: WAN Remote Access Networks
d· Destination: Any
e· Service: Any
f· Action Allow
g· Users: All

Step 11: Select Firewall > Access Rules and Add this VPN to LAN rule:

a· From Zone: VPN
b· To Zone: LAN
c· Source: L2TP Subnet
d· Destination: LAN Subnets
e· Service: Any
f· Action Allow
g· Users: All

The SonicWall portion of the configuration is complete.

Affected SonicWall Security Appliance Platforms:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240, TZ 210, TZ 200, TZ 100
Firmware/Software Version: Enhanced 5.2 and above
Services: VPN using iPad/iPhone/iPod Touch (using L2TP option on the SonicWall appliance)


This document explains how to configure the iPad/iPhone/iPod Touch (we will refer to the name iPad for the rest of this document) L2TP Client access to the SonicWall WAN GroupVPN SA using the built-in L2TP Server. This guide is for SonicOS Enhanced 5.2.x firmware.

Procedure: iPad Configuration
Follow these steps to configure the iPad to connect to the SonicWall GroupVPN SA using the built in L2TP Server.

Step 1:
From the Home Screen, press the Settings icon


Step 2:
Next, from the General menu, select Network


Step 3:
In the Network menu, select the VPN option


Step 4:
In the VPN menu, choose the heading titled, Add VPN Configuration


Step 5:
In the Add Configuration menu, make sure L2TP is selected


Step 6: Fill out the Required fields, then press save when you are done

  • Description: This is a friendly name for your VPN configuration
  • Server: This is the WAN IP (or host name) address of your SonicWall
  • Account: This is the user account created for accessing the network via VPN; because we use LDAP (AD integration) on our firewall we have to use local users to authentication this VPN because the iPad uses CHAP authentication and isn't compatible with LDAP, although you could change to Radius instead if you want to use external users/passwords.
  • RSA SecurID: Not used in this configuration
  • Password: If left blank, every time a connection is established, a prompt for your password will appear. If completed, then the iPad will store your password for future connections
  • Secret: This is your pre-shared secret configured within the WAN GroupVPN policy
  • Send All Traffic: This will allow for either split tunnel or route-all depending on VPN configuration. This example will use the route-all config (we prefer to allow internet traffic locally by the user rather than force down the tunnel )


Step 7: The saved configuration will appear on the VPN screen. You can then slide the VPN to the ON position, and your iPad will begin IPSec communication