Skip to main content
Minotaur
Minotaur
Visitor III
May 27, 2025
Solved

Unable to diagnose L2TP tunnels and run OSPF

  • May 27, 2025
  • 1 reply
  • 689 views

Hello!

 

I have an odd problem with L2TP server over IPSEC on my FG-100F box running 7.4.6 software.

My configuration:

config vpn ipsec phase1-interface edit "L2TP-VOLZ" set type dynamic set interface "VLAN96-TESTLAB" set ike-version 2 set peertype any set net-device enable set proposal aes256-sha512 set dpd on-idle set psksecret ENC <removed> set dpd-retryinterval 60 next end  config vpn ipsec phase2-interface edit "L2TP-VOLZ" set phase1name "L2TP-VOLZ" set proposal aes256gcm set encapsulation transport-mode set l2tp enable next end  config vpn l2tp set status enable set eip 10.100.251.254 set sip 10.100.251.1 set enforce-ipsec enable set usrgrp "IPSEC VPN" end  config system interface edit "l2t.TESTLAB" set vdom "TESTLAB" set allowaccess ping set type tunnel set snmp-index 99 next end  config system interface edit "L2TP-VOLZ" set vdom "TESTLAB" set ip 0.0.0.0 255.255.255.255 set allowaccess ping set type tunnel set snmp-index 129 set interface "VLAN96-TESTLAB" next end   config router static edit 4 set dst 10.100.251.0 255.255.255.0 set device "l2t.TESTLAB" next end

Remote router connects successfully, it gets IP address 10.100.251.2 on its side.
But there is some issues.

1. It looks like Fortigate allocates 10.100.251.1 on its side, but it seems that it is not bound to any interface:

gw-fond-2 (TESTLAB) # diag ip address list | grep 10.100.251.1

-- empty output.

 

2. As a result, customer is not able to ping 10.100.251.1, and Fortigate is not able to ping customer as well:

gw-fond-2 (TESTLAB) # execute ping-options source 10.100.251.1  gw-fond-2 (TESTLAB) # execute ping 10.100.251.2 PING 10.100.251.2 (10.100.251.2): 56 data bytes  --- 10.100.251.2 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

3. L2TP VPN diagnostic commands both return empty outputs:

gw-fond-2 (TESTLAB) # diag vpn l2tp status

-- empty

gw-fond-2 (TESTLAB) # diag vpn l2tp tunnel

-- empty.

4. OSPF is not able to run over L2TP tunnels because it does not see any interfaces.

 

What am I doing wrong? Thanks!

Best answer by Minotaur
@funkylicious wrote:

hi,

try configuring 10.100.251.1/32 address on l2t.TESTLAB interface and 10.100.251.2/24 as the remote.

Thank you. It helped.
So now I should add l2t.TESTLAB interface to OSPF as point-to-multipoint in order to get it working? It somewhat different that I've seen in all documentation which I was able to find...

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
May 27, 2025

hi,

try configuring 10.100.251.1/32 address on l2t.TESTLAB interface and 10.100.251.2/24 as the remote.

"jack of all trades, master of none"
    Minotaur
    MinotaurAuthorAnswer
    Visitor III
    May 27, 2025
    @funkylicious wrote:

    hi,

    try configuring 10.100.251.1/32 address on l2t.TESTLAB interface and 10.100.251.2/24 as the remote.

    Thank you. It helped.
    So now I should add l2t.TESTLAB interface to OSPF as point-to-multipoint in order to get it working? It somewhat different that I've seen in all documentation which I was able to find...

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    May 27, 2025

    i think so, i dont really work so much with OSPF but it would seem resonable.

     

    i found out the hard way while doing a migration of config for a client which had L2TP ( i dont really like to configure ) where traffic wasnt working and found this which helped me solve my issue - different from yours,

    https://docs.fortinet.com/document/fortigate/7.0.10/fortios-release-notes/927994/l2tp-over-ipsec-configuration-needs-to-be-manually-updated-after-upgrading-from-6-4-x-or-7-0-0-to-7-0-1-and-later 

    "jack of all trades, master of none"
    Terms & ConditionsAccessibility statement