This article helps you configure an L2TP tunnel over IPSec between two Digi routers.
Digi routers support PPP-over-L2TP (Layer 2 Tunneling Protocol). The tunnel endpoints are known as L2TP Access Concentrators (LAC) and L2TP Network Servers (LNS). Each endpoint terminates the PPP session. L2TP is commonly used in conjunction with IPsec in transport mode (to provide security). Multiple L2TP clients are supported by configuring a separate LNS for each client.
Below you can find a picture of the network topology that we set up in this knowledge base article.
We start our setup with an example of the IPSec IKEv2 VPN tunnel configuration on both sides of the tunnel.
LNS node configuration:
IPSec settings are located under the section:
Configuration>VPN>Tunnels
Click on Add IPsec tunnel button and fill in the settings in red squares.
IPsec mode must be set to Transport
Authentication of the remote node here is carried out with the Pre-shared key.
The type of identifier set to Any in this case, and the remote endpoint hostname set to Any, since remote clients may have a dynamic IP address.
Local and remote traffic selectors are configured for encapsulation only for the GRE protocol 47.
Below you can find the Phase 1 and Phase 2 IKEv2 protocol configuration:
On the client side a Remote Endpoint >Hostnames field must contain a public IP address or hostname of the LNS server.
L2TP Tunnel configuration of the LNS server is simple:
You only need to set the IP addresses of the remote and local PPP connection ends.
Choose the Authentication method and set the user’s name and password.
LAC configuration is limited to the LNS public IP address, account username, and password.
It is crucial to consider routing behavior in this configuration carefully. At the time of writing this knowledge base article, two additional settings must be applied to prevent asymmetric routing. This is due to the router maintaining two default routes with equal metrics in its routing table once the L2TP tunnel is established.
To ensure proper functionality, it is necessary to apply the following additional configuration settings on the LAC device.
- Set a static route to the L2TP LHS server address over the WAN interface.
- Make sure the tunnel has the lowest metric, and the WAN interface has a slightly higher metric.
In this example, the LHS server public IP address is 192.168.100.2, and the WAN interface has a metric of 2, while the L2TP tunnel keeps a metric of 1.
You can verify the status of the established connection using CLI commands on both the LNS and LAC sides.
Last updated:
Aug 26, 2025