Technical Tip: Multiple user groups configuration for L2TP over IPsec VPN to restrict network access on a FortiGate

Description

This article explains why it is not possible to configure multiple user groups for L2TP over IPsec VPN on a FortiGate in order to apply granular access control in firewall policies.

Scope

FortiGate.

Solution

Because of L2TP limitations on FortiGate, the user group defined in config vpn l2tp is used solely for authentication. Other group memberships are not available and cannot be leveraged for fine-grained access control in firewall policies.

As a workaround, it is recommended to use SSL VPN or IPsec VPN with FortiClient.

Important Note (FortiOS 7.6.3 and later):

Due to platform limitations, using multiple user groups with L2TP over IPsec remains unsupported.

As a workaround, it is recommended to use SSL VPN or IPsec VPN with FortiClient.

However, customers are strongly advised to migrate to remote access using IPsec VPN as a replacement for SSL VPN tunnel mode before upgrading to FortiOS 7.6.3 and later, as SSL VPN tunnel mode is no longer recommended in newer FortiOS releases.

For additional information, see the documentation below:

Related documents:

IPsec and SSL Multiple user groups
Using single or multiple user groups for user authentication in IPsec VPN