Technical Tip: Manual upgrade of L2TP over IPsec configuration is required after upgrading from v6.4.x or v7.0.0 to v7.0.x
| Description | This article describes that a manual upgrade of the L2TP over IPsec configuration must be performed after a firmware upgrade. |
| Scope | FortiGate v6.4.x or v7.0.0 to v7.0.x. |
| Solution | If the settings are not changed manually after the upgrade, the VPN connection is established, but it will not be accessed to the internal network (office network).
This setting change is necessary regardless of whether it is route-based IPsec or policy-based IPsec.
To make the L2TP over IPsec configuration work after the upgrade, add a static route for the IP range configured in VPN L2TP.
For example, if the L2TP setting in the previous version's root VDOM is:
config vpn l2tp
A static route must be added after the upgrade:
config router static
It is necessary to make the following changes to policies related to VPN.
Keep the policy from 'tunnel_name' to 'external_interface' as it is:
config firewall policy edit <id> set srcintf "tunnel_name" set dstintf "external_interface" <----- The interface on which the IPsec tunnel is configured. set action accept set srcaddr "all" set dstaddr "all" set service "L2TP" set nat enable end
This policy will let clients connect to the L2TP IPsec tunnel.
To allow the traffic, the rest policies should have srcintf 'l2t.root'.
config firewall policy edit <id> set srcintf "l2t.root" <----- Should be L2TP. set dstintf "outgoing_interface" <----- Could be external/internal, WAN/LAN. set action accept set srcaddr "<>" set dstaddr "<>" set service "ALL" set nat enable end
l2t.root refers to the interface that is defined for the L2TP IPsec tunnel inside the VDOM (dedicated). This will be used in the policy as the source interface, so the traffic coming from this interface will be checked and judged according to the policy created. |