Technical Tip: Allowing connection between two IPsec dial up client hosts which belong to the same subnet

Description
This article describes how to set up L2 forwarding of the IPsec tunnel interface to allow connection between two IPsec dial up client host which belongs to the same subnet.

Related link:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-networking-54/Interfaces/VLANs/Layer-2%20and%20Arp%20traffic.htm

Solution
By default, FortiGate does not pass layer-2 traffic.
If there are layer-2 protocols, configure FortiGate interfaces to pass these protocols without blocking.

Configure it via CLI:

# config system interface
    edit <<IPsec VPN interface name>>
        set arpforward enable
        set broadcast-forward enable
        set netbios-forward enable
    end

The connection between the two clients confirmed that the ICMP is passing through.