FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 215203
Description This article describes how to set up the FortiGate as a L2TP client.
Scope Small business FortiGate units such as 30E, 40F, 100F.

The FortiGate can be set up as a L2TP client only through CLI as follows:


Note: This is only available in standalone mode. With HA, this will set up a L2 broadcast loop since L2PP is an L2 protocol. For that reason, this option is only available in standalone mode.


config system interface

edit "wan"

set status up

set l2tp-client enable

set l2forward enable

config l2tp-client-settings

set auth-type auto

set defaultgw enable

set mtu 1460

set user <user_name>

set password <password>

set peer-host <host_IP_address>

set peer-port <specify the port used to connect to L2TP peers, default is 1701>



This feature is available only in small business units such 30E, 40F, 100F etc.


If the L2TP client does not connect, use the following debug, sniffer and diagnostic command to troubleshoot.




diagnose debug disable

diagnose debug reset

diagnose debug application l2tpcd -1

diagnose debug application ppp -1

diagnose debug console timestamp enable

diagnose debug enable


Once the debug logs capture has completed, run the following commands to disable debug:

diagnose debug reset
diagnose debug disable


diagnose sniffer packet any "host <Peer-host-ip> and port <Peer-host-port>" 6 0 l


(Stop sniffer at any time with CTRL+C.)


Diagnostic command:


diagnose test application l2tpcd 1