L2TP IPsec VPN on FortiGate

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will learn how to create an L2TP IPsec tunnel that allows remote users running the Windows 7 L2TP client to securely connect to a private network.

The FortiGate implementation of L2TP enables a remote user to establish an L2TP IPsec tunnel with the FortiGate. For the tunnel to work you configure a remote client (abhassan) to connect using an L2TP IPsec VPN connection.

This recipe assumes that the FortiGate unit is operating in NAT/Route mode and that it has a static public IP address. This recipe is designed as a policy-based IPsec VPN, not route-based.

Most of the configuration occurs in the CLI Console, as L2TP settings are not configurable in the GUI. You can access the FortiGate CLI Console from the FortiGate GUI using the administration menu or from the CLI Console Dashboard widget.

1. Creating an L2TP user and user group

Go to User & Device > User Definition and create a new L2TP user via the creation wizard (abhassan).
Next go to User & Device > User Groups and create a new user group for L2TP users (L2TP-group), and add abhassan to the group.

2. Enabling L2TP in the CLI Console

Enter the following CLI command to set up an L2TP tunnel that includes the user group just created and defines the L2TP client IP address range (start IP (sip) to end IP (eip)):

config vpn l2tp
   set sip 10.20.100.1
   set eip 10.20.100.101
   set status enable
   set usrgrp L2TP-group
end

3. Configuring the L2TP/IPsec phases

Enter the following CLI command to configure Phase 1 (named l2tp-p1 below):

config vpn ipsec phase1
   edit l2tp-p1
      set type dynamic
      set interface wan1
      set dhgrp 2
      set keylife 86400
      set peertype dialup
      set dpd disable
      set proposal 3des-sha1 aes192-sha1 aes256-md5
      set usrgrp L2TP-group
      set psksecret <preshared_key>
end

Enter the following CLI command to configure Phase 2 (named l2tp-p2 below):

config vpn ipsec phase2
   edit l2tp-p2
      set phase1name l2tp-p1
      set l2tp enable
      set proposal 3des-sha1 aes192-sha1 aes256-md5
      set pfs disable
      set encapsulation transport-mode
      set keylifeseconds 86400
end

4. Creating a firewall address for L2TP clients

Go to Policy & Objects > Addresses and create a new firewall address.

Enter a Name, set Type to IP Range, and enter the same IP range as configured earlier when enabling L2TP in the CLI Console.

5. Creating Security Policy for access to the internal network and the Internet

Go to System > Feature Select, enable Policy-based IPsec VPN, and select Apply.
Next go to Policy & Objects > IPv4 Policy, and create an IPsec VPN security policy that allows inbound and outbound traffic.

Set Incoming Interface to the internal network and Source Address to all.

Set Outgoing Interface to wan1Destination Address to allService to ALL, and Action to IPsec.

Under VPN Tunnel, select Use Existing and select the name of the Phase 1 configuration that you created (l2tp-p1).

6. Configuring a remote Windows 7 L2TP client

On a PC, open the Start menu, search for VPN, and select Set up a virtual private network (VPN) connection.
Enter the FortiGate’s IP address, enter a Destination name, and make sure to select the Don’t connect now… checkbox. Then select Next.

Enter the same User name and Password as configured earlier on the FortiGate and select Create.

 

The connection is now ready to use. Select Close.

Next, go to Start > Control Panel > Network and Sharing Center and select Connect to a network.

 

Open the L2TP VPN configured earlier.

Enter the L2TP IPsec VPN’s user credentials and select Connect.

You will then be connected to the VPN.

7. Results

On the FortiGate, go to Monitor > IPsec Monitor. The tunnel shows a Status of Up, with incoming and outgoing data.
You can also go to Log & Report > VPN Events, where you can select an entry and view more details. The user has been assigned an IP address from within the L2TP client range.
Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No
  • Vlorca

    Hi.

    I followed the steps of this recipe, but users can not connect to the VPN. Checking configuration, I found this tunnel configuration.

    Phase 2 seems not to be configured. Is it normal?

    Thank you very much.

    https://uploads.disquscdn.com/images/62d9d4d3ecbfcc905aedaa307d26f7f09601d2c1ada7db223a5d79007ad365d5.jpg

  • Vlorca

    Hi.

    I follow the steps of this recipe and I finished it without problems, but users can not connect to.

    I have checked config and I see this new tunnel. As you can see, Phase2 seems not to be set up.

    Is this correct?

  • Olivier Hault

    How to configure the manual DNS servers to use for the VPN clients ?

  • Liu Jie

    I solved the problem then share.
    Firstly, the IP set in the step 2 is the ones to assign to the client once the L2TP is connected.
    Then, only one “internal to wan” policy is not enough to connect the L2TP.
    Two more policies are necessary as below.
    (1)wan to internal
    (l2tp-client to all)
    (2)wan to wan
    (l2tp-client to all)

    Regards!

    • Vlorca

      Hi Liu Jie.

      Could you attach a screenshot of this rules, please?

      Kind regards!

      • rocky.chan

        Guess It should look like Below
        (1)wan-lan
        conf firewall policy
        edit x
        set srcintf wan
        set srcaddr l2tp_addgrp
        set dstintf lan
        set dstaddr internal_addgrp
        set action accept
        set service all
        end
        (2)wan-wan
        conf firewall policy
        edit y
        set srcintf wan
        set srcaddr l2tp_addgrp
        set dstintf wan
        set dstaddr all
        set action accept
        set service all
        end

        • Vlorca

          Nice!

          Did you have any problem with Windows 10 Pro Clients? It works with Win7 but not with WIndows 10 pro. I am not sure what can cause it.

  • Nishit

    How to disable everything and revert back to previous state if something goes wrong?

    • Victoria Martin

      To back up your current configuration before you make any changes, go to the Dashboard and locate the System Information widget. Beside System Configuration, select Backup.

      If you need to revert to this state, select the Restore option instead.

  • Michael Bazy

    Hi everyone,

    Should you want to copy/paste the CLIs, I recommend

    config vpn ipsec phase2
    edit l2tp-p2
    set phase1name l2tp-p1
    set proposal 3des-sha1 aes192-sha1 aes256-md5
    set pfs disable
    set encapsulation transport-mode
    set l2tp enable
    set keylifeseconds 86400
    end

    instead of :
    config vpn ipsec phase2
    edit l2tp-p2
    set phase1name l2tp-p1
    set l2tp enable
    set proposal 3des-sha1 aes192-sha1 aes256-md5
    set pfs disable
    set encapsulation transport-mode
    set keylifeseconds 86400
    end

    (the reason is l2tp is only available in transport-mode, and not in tunnel-mode, which is the default encapsulation)

  • Yan Herndon

    I setup a L2TP per your doc here and Im able to browse the remote network shares. I dont have internet access though. I can disable use default gateway on remote network and get internet on the client but that obviously doesnt route traffic over the VPN. Any ideas how I can get internet traffic to pass through the VPN as well?

  • merlynmac

    Hello,
    I’ve followed this article to the T and I can connect…the firewall can ping my VPN connected devices however I can not ping anything from the VPN connected device including the LAN, other VPN connected devices or anything else. Can you help me to get it working so I can reach resources on my LAN not just VPN devices from my firewall? And can Split tunnel be enabled so I’m only going over the VPN for the LAN at the office? Right now it looks like all traffic is being sent across the tunnel but I’m getting no responses.

    • Adam Bristow

      Hello merlynmac,

      Unfortunately I’m not sure if I can help you, but I would recommend contacting Fortinet Support:
      https://support.fortinet.com/

      However, in regards to your split tunneling query, I think this may help:

      – On your PC, go to Start > Control Panel > Network and Sharing Center > Change adapter settings.
      – Right-click the VPN and select Properties.
      – Open the Networking tab, select IPv4, and select Properties.
      – Select Advanced.
      Disable Use default gateway on remote network.

      This will ensure that only interested traffic goes through the VPN connection, while the rest goes directly to the Internet connection.

      I hope I’ve provided some useful insight!

      Best regards,

      Adam