Access site behind Site-to-Site tunnel via. L2TP Remote Access (Windows Native)

Hello,

You should also check if you lt2p subnet is allowed on the phase2 selectors of the site to site tunnel.
It also might be a policy or routing issue.
You can collect a debug flow and see why the traffic is not processed.
You can collect the output of the below commands while generating traffic from an l2tp client to the branch:

diag debug reset
diag debug flow filter addr x.x.x.x y.y.y.y and
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

Where x.x.x.x is the source IP address and y.y.y.y the destination IP address

To stop the debug, type:

diag debug disable
diag debug reset

Best Regards,
Nikos

Hi,

I hope that you at least use L2TP over IPSec and not pure old L2TP with no encryption at all.

However, instead of fixing dead L2TP I would humbly suggest to reconsider the VPN schema and drop down L2TP use, completely. It's 22 years old protocol with zero protection!

All modern OS are able somehow directly, or with help of supplicants like FortiClient, to use IPSec or at least SSL VPN. Some even allows you to use IPSec with IKEv2. Even on mobile platforms like Android or Apple iOS.

So instead of unprotected prehistoric L2TP I'd suggest to use IPSec completely.

As hub (on HQ FortiGate) &spoke (on branch offices) + dialup (for mobile road warriors).

Hi Team,

You need to have firewall policy with source as l2tp subnet in the concerned firewall policy also in phase 2 selectors in the source address you need to have l2tp client subnet range in one firewall and in other firewall remote selectors you need to have l2tp client subnet range.

Please check and keep us posted