Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skaneria
Staff
Staff

Created on ‎04-25-2020 07:22 AM Edited on ‎10-26-2024 06:33 AM By Moderator

Article Id 196803

Technical Tip: How to configure L2TP using interface/route based IPsec VPN

Description


L2TP is mostly used by clients who do not wish to install any client (such as FortiClient), but need to establish a secure and encrypted VPN connection. 
Windows native client can be used for L2TP connection.

There is an option to configure L2TP in interface/route based IPsec VPN.
If WAN load balancing is being used in versions 5.2/5.4/5.6 and there is a need to configure L2TP, interface/route based L2TP can be used to achieve it.

 

Scope

 

FortiGate

Solution

 

config user local
    edit "test"
        set type password
        set passwd 123456
        next
end

config user group
    edit " L2TP_Group"
        set member "test"
    next
end

config vpn l2tp
    set eip 10.10.10.100
    set sip 10.10.10.1
    set status enable
    set usrgrp "L2TP_Group"
end

config vpn ipsec phase1-interface
    edit "L2TP"
        set type dynamic
        set interface "port9"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set dhgrp 2
        set net-device enable
        set psksecret <password>
    next
end

config vpn ipsec phase2-interface
    edit "L2TP-p2"
        set phase1name "L2TP"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
    next
end

config firewall policy
    edit 0
        set name "L2TP policy"
        set srcintf "L2TP"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "L2TP"
    next
end

config firewall policy
    edit 0
        set name "IPsec policy"
        set srcintf "L2TP"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

 

To configure L2TP over an IPsec tunnel using the GUI:

  1. Go to VPN -> IPsec Wizard.

 

  1. Enter a VPN Name. In this example, L2tpoIPsec.
  2. configure the following settings for VPN Setup.
  •  For Template Type, select Remote Access.
  • For Remote unit type, select 'Native and Windows Native'.
  •  Select 'Next'.
  1. Configure the following settings for Authentication.
  •  For 'Incoming Interface', select port9.
  • For 'Authentication Method', select 'Pre-shared Key'.
  • In the 'Pre-shared Key' field, type 'your-psk' as the key.
  • For 'User Group', select 'L2TP_Group'.
  • Select 'Next'.
  1. Configure the following settings for Policy & Routing.
  • From the Local Interface dropdown menu.
  • Configure the Local Address.
  • Configure the client address range as 10.10.10.1-10.10.10.100.
  • Leave the subnet mask at its default value.
  •  Select 'Create'.

Note:
  1. If 'net-device' is set to disable, only one unit can establish an L2TP over IPsec tunnel behind the same NAT unit.
  2. After upgrading from v6.4.x or v7.0.0 to v7.0.1 and later, L2TP over IPsec configuration needs to be manually updated as outlined in the below article: Technical Tip: Manual upgradation of L2TP over IPsec configuration after upgrading from 6.4.x or 7.0...
  3. L2TPv3 is not supported on FortiOS.  
32172
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.