Skip to main content
Tutek
Tutek
New Member
May 18, 2022
Question

VPN wizard change remote subnet

  • May 18, 2022
  • 6 replies
  • 4767 views

Hi,

I have created vpn for native windows client during a setup I chose subnet range for a client, now I need to change that settings but I don't see that setting in tunnel settings, even in CLI I don't see this, where it is applied?

 

 

Router (VPN_ipsec) # get name                : VPN_ipsec type                : dynamic interface           : port24 ip-version          : 4 ike-version         : 1 local-gw            : 0.0.0.0 keylife             : 86400 authmethod          : psk mode                : main peertype            : any net-device          : disable exchange-interface-ip: disable mode-cfg            : disable proposal            : aes256-md5 3des-sha1 aes192-sha1 add-route           : enable localid             : localid-type        : auto negotiate-timeout   : 30 fragmentation       : enable ip-fragmentation    : post-encapsulation dpd                 : on-demand forticlient-enforcement: disable comments            : VPN: npu-offload         : enable dhgrp               : 2 suite-b             : disable wizard-type         : dialup-windows xauthtype           : disable idle-timeout        : disable ha-sync-esp-seqno   : enable auto-discovery-sender: disable auto-discovery-receiver: disable auto-discovery-forwarder: disable nattraversal        : enable rekey               : enable enforce-unique-id   : disable fec-egress          : disable fec-ingress         : disable default-gw          : 0.0.0.0 default-gw-priority : 0 tunnel-search       : selectors psksecret           : * keepalive           : 10 distance            : 15 priority            : 0 dpd-retrycount      : 3 dpd-retryinterval   : 20

 

 

 

 

6 replies

A
Anonymous_User
Contributor
May 18, 2022

Hello,

You can change the Address from the below config:
config vpn l2tp
set status enable
set eip 1.1.1.10     ------------------- > 
set sip 1.1.1.1    ------------------ >
set usrgrp "Guest-group"
end

Here 
*eip is End IP.
*sip is Start IP.

Best Regards.

Tutek
TutekAuthor
New Member
May 18, 2022

ok, thanks

and how could I set other DNS that client receive other that assigned from Fortigate system DNS?

A
Anonymous_User
Contributor
May 18, 2022

Custom DNS servers are not supported with L2TP tunnels. Users connected via L2TP will always retrieve FortiGate system DNS servers

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Custom-DNS-servers-are-not-supported-with-L2TP/ta-p/212362

Tutek
TutekAuthor
New Member
May 18, 2022

why if I do "set enforce-ipsec enable" in l2tp setting, then my l2tp connection is not connecting anymore, I would to be sure that this connection is always encrypted by ipsec tunnel?

A
Anonymous_User
Contributor
May 18, 2022


config vpn l2tp
set enforce-ipsec enable
end

This will enforce l2tp to use IPSec and you already created it on Fortigate. After making the above changes L2tp will only allow connection using the "L2TP/IPSec with pre-shared key" under the VPN settings on windows.

Make sure Pre-shared key is correct
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/configure-preshared-key-to-use-l2tp


Tutek
TutekAuthor
New Member
May 18, 2022

Yes, I didn't touch ipsec settings, with set enforce-ipsec disabled, connection is working once set to enabled it does not.

pminarik
Staff
pminarik
Staff
May 18, 2022

That suggests that your client might be using pure, !!! UNENCRYPTED !!!, L2TP. This would be a pretty bad idea, as pure L2TP doesn't really provide any security. ("set enforce-ipsec enable" refuses plain L2TP and mandates its encapsulation in IPsec)

 

You can try confirming that by making a packet capture of the client's traffic.

If it's UDP ports 500/4500, then that's IKE negotiations, meaning they're using IPsec with presumably L2TP inside afterwards. If it's UDP/1701, then that's plaintext L2TP (bad).

sw2090
SuperUser
sw2090
SuperUser
May 18, 2022

you might have to convert it to a custom tunnel because otherwise there is various options you don't see in gui. Just fyi.

Tutek
TutekAuthor
New Member
May 18, 2022

This is strange, with setting "set enforce-ipsec disabled"

-when on windows native client I leave ipsec type as Automatic - then connection is established but with not encryption only ms-chap-2.

-when on native windows client I choose ipsec as l2tp/ipsec with pre shared key and then insert key - connection is established with ipsec encryption 3des.

-If on fortigate I change l2tp settings to "set enforce-ipsec enabled" I cannot more connect in either way.

A
Anonymous_User
Contributor
May 19, 2022

Can you take the debug and reproduce the issue for all the scenarios

 

diagnose debug reset
diagnose debug disable

diagnose debug application ike -1

diagnose debug application l2tp -1

diagnose debug enable


Terms & ConditionsAccessibility statement