How to configure L2TP over IPSec on a FortiGate
Description
The following CLI syntax can be used to configure an L2TP over IPSec tunnel and was tested to work for a connection between a Windows 8.x Tablet and a FortiGate.
Solution
Text which is presented in '< >' needs to be updated to match your environment.
Syntax:
config system global
sset gui-policy-based-ipsec enable
end
config user local
edit "<select_username>"
set type password
set passwd <create_password>
next
end
config user group
edit "L2TP"
set member "<select_username>"
next
end
config vpn l2tp
set sip <first ip in range>
set eip <last ip in range>
set status enable
set usrgrp "L2TP"
end
config vpn ipsec phase1
edit "L2TP_WINRT_P1"
set type dynamic
set interface "wan1"
set keylife 28800
set proposal aes256-md5 3des-sha1 aes192-sha1
set add-route enable
set dhgrp 2
set psksecret <enter_preshared_key>
next
end
config vpn ipsec phase2
edit "L2TP_WINRT_P2"
set phase1name "L2TP_WINRT_P1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set keylifeseconds 3600
next
end
conf firewall address
edit "L2TP_Clients"
set type iprange
set start-ip <first ip in range>
set end-ip <last ip in range>
next
end
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "L2TP_WINRT_P1"
next
edit 0
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "L2TP_Clients"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set srcintf "<internal_interface>"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "L2TP_Clients""
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set srcintf "wan1"
set dstintf "<internal_interface>"
set srcaddr "L2TP_Clients"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
The following CLI syntax can be used to configure an L2TP over IPSec tunnel and was tested to work for a connection between a Windows 8.x Tablet and a FortiGate.
Solution
Text which is presented in '< >' needs to be updated to match your environment.
Syntax:
config system global
sset gui-policy-based-ipsec enable
end
config user local
edit "<select_username>"
set type password
set passwd <create_password>
next
end
config user group
edit "L2TP"
set member "<select_username>"
next
end
config vpn l2tp
set sip <first ip in range>
set eip <last ip in range>
set status enable
set usrgrp "L2TP"
end
config vpn ipsec phase1
edit "L2TP_WINRT_P1"
set type dynamic
set interface "wan1"
set keylife 28800
set proposal aes256-md5 3des-sha1 aes192-sha1
set add-route enable
set dhgrp 2
set psksecret <enter_preshared_key>
next
end
config vpn ipsec phase2
edit "L2TP_WINRT_P2"
set phase1name "L2TP_WINRT_P1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set keylifeseconds 3600
next
end
conf firewall address
edit "L2TP_Clients"
set type iprange
set start-ip <first ip in range>
set end-ip <last ip in range>
next
end
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set outbound enable
set vpntunnel "L2TP_WINRT_P1"
next
edit 0
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "L2TP_Clients"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set srcintf "<internal_interface>"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "L2TP_Clients""
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set srcintf "wan1"
set dstintf "<internal_interface>"
set srcaddr "L2TP_Clients"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Related Articles
Technical Tip : FortiOS Resolving L2TP IPSec connection issues when using Windows 7