FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 200001
Description

This article describes how to configure FortiGate so Microsoft’s L2TP/IPSec VPN client configured on Windows 10 PC will have access to the network(s) behind FortiGate in a secure manner. 

When deploying L2TP/IPSec VPN between Windows 10 PC and FortiGate, it’s possible to run into issues (where the tunnel failed to come up), if not using 'VPN Proposals' supported by Windows 10. 

Scope

FortiGate v6.2, FortiGate v6.4, FortiGate v7.0.

Solution

L2TP over IPSec can be deployed on FortiGate through CLI or GUI, it is advisable to follow the GUI configuration template on FortiGate (Under VPN -> IPSec Wizard -> VPN Setup).

 

Configuring L2TP over IPSec (GUI).

 

Step 1: 

Create a User Account:

 

A 'user account' is required on FortiGate for 'L2TP over IPSec' deployment. 

  1. Go to GUI Interface, User & Device -> User Definition -> Create New (then create a new user account – fill in required info). 
  2. Go to User & Device -> User Groups -> Create New (then create a new user group and add the user account created). 

 

ppatel_1-1638289393493.png

 

Step 2: 

Create the VPN.

 

 Go to CUI Interface, VPN -> IPsec Wizard  -> VPN Setup  -> Remote Access  -> Native  -> Windows Native (fill in required information) and select 'Next'.

 

ppatel_2-1638289393494.png
  •  On the Authentication tab -> select 'Pre-shared Key' (provide key)  -> select 'User Group' (earlier created) and select 'Next'.

 

ppatel_3-1638289393494.png
  • On 'Policy & Routing' tab -> Local Interface (LAN) >> Local Address (choose unit address) -> Client Add range (Fill in the desired IP range) -> Leave 'subnet Mask' as default, and select 'Next'.

 

ppatel_4-1638289393495.png

 

Note:

Do not change the 'Subnet Mask' leave it as default. 

Review the newly created VPN and once okay, select 'Create'.  

 

ppatel_5-1638289393495.png

 

 

VPN Summary: 

 

ppatel_6-1638289393496.png

 

Note:

The proposal used in phase1 (and phase 2) by FortiGate wizard, should be supported by Windows.  The deployment will NOT work if a proposal not supported by Windows 10 (or other Windows) L2TP/IPSec is choosen. 

 

Step 3: 

Create L2TP/IPSec on Windows 10. 

 

On Windows, select Start -> Settings -> Network & Internet -> VPN -> Add a VPN connection. 

Fill in the 'Add a VPN connection' tab using below screenshot as a guide. Select 'save' once done. 

 

ppatel_7-1638289393496.png

 

Note:

'Server name or address', is the IP address of the FortiGate WAN Interface. 

 

Verification: 

Select connect under the newly created VPN, and it should connect and access the network behind FortiGate if everything is configured correctly. 

 

ppatel_8-1638289393497.png

 

Note that the IP specified under the Client Address Range of FortiGate is assigned to the PC. 

 

ppatel_9-1638289393497.png
Comments
gfleming
Staff
Staff

Can you please provide the output of:

 

show vpn l2tp

show vpn ipsec phase1-interface

show vpn ipsec phase2-interface