Skip to main content
AlexDayan
AlexDayan
New Member
June 26, 2013
Question

L2TP Connection to ISP

  • June 26, 2013
  • 8 replies
  • 16716 views
Hi. Please help me to configure Fortigate 40C 4.0 MR3 for connect to ISP with L2TP. My local ISP support only L2TP ,I need share this connection between 10 computers. Thanks for help.

    8 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 27, 2013
    hi, and welcome to the forums. FortiOS only supports L2TP as a server, not as a client. That is, if your ISP dials in it might work, if you (as a client) have to dial in to the ISP, no way using the FGT. Furthermore, the only encryption available is MPPE and not IPsec. You can look up the details in the FortiOS Handbook for v4.3. You might set up a server running MS Windows and have the FGT just pass the traffic to the ISP but I wouldn' t recommend that.
    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 27, 2013
    Hi, Actually you can setup L2TP-client on a smaller fortigate (including a 40C). " Enable or disable this interface as a Layer 2 Tunneling Protocol (L2TP) client. Enabling makes config l2tp-client-settings visible. You may need to enable l2forward on this interface. This is available only on FortiGate 50 series, 60 series, and 100A. The interface can not be part of an aggregate interface, and the FortiGate unit can not be in Transparent mode, or HA mode. If l2tp-client is enabled on an interface, the FortiGate unit will not enter HA mode until the L2TP client is disabled."
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 27, 2013
    I' m learning new things every day...thanks. Where is the quote from, and where do you enable this setting (in CLI)?
    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 27, 2013
    This comes from the CLI reference, and yes its CLI only.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 27, 2013
    OK, found it in the " Interface" section:
     config system interface     edit <interface_name>        set l2tp-client {enable | disable}  ...        set l2forward {enable | disable}
    and then:
     config l2tp-client-settings  auth-type {auto | chap |  mschapv1 | mschapv2 |  pap}  Select the type of authorization used with this client:  auto — automatically choose type of authorization.  chap — use Challenge-Handshake Authentication Protocol.  mschapv1 — use Microsoft version of CHAP version 1.  mschapv2 — use Microsoft version of CHAP version 2.  pap — use Password Authentication Protocol.  def.: auto    defaultgw {enable | disable}  Enable to use the default gateway.   def.: disable    distance <admin_distance>  Enter the administration distance of learned routes.  def.: 2    mtu <integer>  Enter the Maximum Transmission Unit (MTU) for L2TP.  def.: 1460    password <password>  Enter the password for L2TP.  def.: n/a    peer-host <ipv4_addr>  Enter the IP address of the L2TP host.  def.:  n/a    peer-mask <netmask>  Enter the netmask used to connect to L2TP peers connected to this interface.  def.: 255.255.255.255    peer-port <port_num>  Enter the port used to connect to L2TP peers on this interface.  def.: 1701    priority <integer>  Enter the priority of routes learned through L2TP. This will be used to resolve any ties in the routing table.  def.: 0    user <string>  Enter the L2TP user name used to connect.  def.: n/a
    emnoc
    emnoc
    New Member
    June 27, 2013
    Here' s a cfg; config system interface edit " wan2" set vdom " root" set mode dhcp set l2forward enable set ddns enable set type physical set alias " WANuplink01" set l2tp-client enable set defaultgw enable set macaddr 00:16:cb:ad:fa:51 config l2tp-client-settings set auth-type pap set mtu 1410 set password ENC PEKdB2hpJ3d+kBHAdYhLt2aXv4zeaExH9tdbQ27BhwhM8vSKixegcI07sEsiPPzNr5OQvE3JqNfED/ayidxjVRUtTQSFxKbK7OA08Da/Dj07ngb8 set peer-host " 33.33.33.33" set user " networkyt98" end next end things to be aware of ; > the l2tp secondary MTU needs to be reduce >you might want to apply mss adjustments for any tcp traffic at the firewall policy level > validate your provider authentication type > authentication auto has been flaky sometimes, so if your provider supports pap/chap or whatever, hardcode it Here' s a fwpolicy showing how I adjust tcp mss config firewall policy edit 15 set srcintf " internal" set dstintf " wan2" set srcaddr " INSIDELAN01" set dstaddr " all" set schedule " always" set service " TCP" set tcp-mss-sender 1360 set tcp-mss-receiver 1360 set comments " reduction in MSS due to l2tp overhead" next end So you will need to monitor and possible tcpdump the SYN or SYN-ACK packets to validate the mss value set or received across the interface tcpudmp -nnn -vvvv -i eth0 ' tcp[13]==18' I use the above cfgs at doctors offices that I have a SOHO FWF60B located at. I think the FGT100 also supports l2tp-client iirc. PMTU should not be trusted and your YMMV.
    RD1
    RD1
    New Member
    February 10, 2022

    1

    RD1
    RD1
    New Member
    February 10, 2022

    Hi gurus!

    I need to connect my FTG 80E to ISP. My ISP is using L2TP. I have searched through the Internet and this is the only thread I found on this forum!

    Since I am new in firewalls. Could you please clarify for me how to configure my WAN interface as l2tp client...

    Here is the settings I need to configure in CLI. In the answer above it is described what these settings mean.

    Some of them are not clear to me. Could you please clarify for dummy.  

    user: it is clear

    password: clear also

    peer-host: not clear… Is it an IP assigned by my ISP to my wan interface? BTW I am  using static IP by my ISP tied to my login

    peer-mask:

    peer-port: clear

    auth-type: clear

    mtu: clear

    distance: clear

    priority: clear

    defaultgw: not clear, what should be here?

    ip: not clear also

     

    Where is IP address of the ISP server for authorization should be typed in?

    Could you please help me with settings

    Thank you

    Terms & ConditionsAccessibility statement