FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rward1
Staff
Staff
Article Id 197061
Description
The following CLI syntax can be used to configure an L2TP over IPSec tunnel and was tested to work for a connection between a Windows 8.x Tablet and a FortiGate.

Solution
Text which is presented in '< >' needs to be updated to match your environment.

Syntax:

config system global
    sset gui-policy-based-ipsec enable
end

config user local
    edit "<select_username>"
        set type password
        set passwd <create_password>
    next
end

config user group
    edit "L2TP"
        set member "<select_username>"
    next
end

config vpn l2tp
    set sip <first ip in range>
    set eip <last ip in range>
    set status enable
    set usrgrp "L2TP"
end

config vpn ipsec phase1
    edit "L2TP_WINRT_P1"
        set type dynamic
        set interface "wan1"
        set keylife 28800
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set add-route enable
        set dhgrp 2
        set psksecret <enter_preshared_key>
    next
end

config vpn ipsec phase2
    edit "L2TP_WINRT_P2"
        set phase1name "L2TP_WINRT_P1"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set keylifeseconds 3600
    next
end


conf firewall address

edit "L2TP_Clients"
        set type iprange
        set start-ip <first ip in range>
        set end-ip <last ip in range>
    next
end

config firewall policy
    edit 0
        set srcintf "wan1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set inbound enable
        set outbound enable
        set vpntunnel "L2TP_WINRT_P1"
    next

    edit 0
        set srcintf "wan1"
        set dstintf "wan1"
        set srcaddr "L2TP_Clients"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 0
        set srcintf "<internal_interface>"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "L2TP_Clients""
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 0
        set srcintf "wan1"
        set dstintf "<internal_interface>"
        set srcaddr "L2TP_Clients"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Related Articles

Technical Tip : FortiOS Resolving L2TP IPSec connection issues when using Windows 7

Technical Note : L2TP over IPSec with Windows 7 and Vista

Contributors