Description
L2TP is mostly used by clients who do not wish to install any client (such as FortiClient), but need to establish a secure and encrypted VPN connection.
Windows native client can be used for L2TP connection.
There is an option to configure L2TP in interface/route based IPsec VPN.
If WAN load balancing is being used in versions 5.2/5.4/5.6 and there is a need to configure L2TP, interface/route based L2TP can be used to achieve it.
Solution
# config user local
edit "test"
set type password
set passwd 123456
next
end
# config user group
edit " L2TP_Group"
set member "test"
next
end
# config vpn l2tp
set eip 10.10.10.100
set sip 10.10.10.1
set status enable
set usrgrp "L2TP_Group"
end
# config vpn ipsec phase1-interface
edit "L2TP"
set type dynamic
set interface "port9"
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set net-device enable
set psksecret <password>
next
end
# config vpn ipsec phase2-interface
edit "L2TP-p2"
set phase1name "L2TP"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
next
end
# config firewall policy
edit 0
set name "L2TP policy"
set srcintf "L2TP"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "L2TP"
next
end
# config firewall policy
edit 0
set name "IPsec policy"
set srcintf "L2TP"
set dstintf "LAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
To configure L2TP over an IPsec tunnel using the GUI:
1) Go to VPN -> IPsec Wizard.
2) Enter a VPN Name. In this example, L2tpoIPsec.
3) configure the following settings for VPN Setup.
- For Template Type, select Remote Access.
- For Remote unit type, select 'Native and Windows Native'.
- Select 'Next'.
4) Configure the following settings for Authentication.
- For 'Incoming Interface', select port9.
- For 'Authentication Method', select 'Pre-shared Key'.
- In the 'Pre-shared Key' field, type 'your-psk' as the key.
- For 'User Group', select 'L2TP_Group'.
- Select 'Next'.
5) Configure the following settings for Policy & Routing.
- From the Local Interface dropdown menu.
- Configure the Local Address.
- Configure the client address range as 10.10.10.1-10.10.10.100.
- Leave the subnet mask at its default value.
- Select 'Create'.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.