This article describes how to configure FortiGate so Microsoft’s L2TP/IPSec VPN client configured on Windows 10 PC will have access to the network(s) behind FortiGate in a secure manner.
When deploying L2TP/IPSec VPN between Windows 10 PC and FortiGate, it’s possible to run into issues (where the tunnel failed to come up), if not using 'VPN Proposals' supported by Windows 10.
FortiGate v6.2, FortiGate v6.4, FortiGate v7.0.
L2TP over IPSec can be deployed on FortiGate through CLI or GUI, it is advisable to follow the GUI configuration template on FortiGate (Under VPN -> IPSec Wizard -> VPN Setup).
Configuring L2TP over IPSec (GUI).
Create a User Account:
A 'user account' is required on FortiGate for 'L2TP over IPSec' deployment.
Create the VPN.
Go to CUI Interface, VPN -> IPsec Wizard -> VPN Setup -> Remote Access -> Native -> Windows Native (fill in required information) and select 'Next'.
Do not change the 'Subnet Mask' leave it as default.
Review the newly created VPN and once okay, select 'Create'.
The proposal used in phase1 (and phase 2) by FortiGate wizard, should be supported by Windows. The deployment will NOT work if a proposal not supported by Windows 10 (or other Windows) L2TP/IPSec is choosen.
Create L2TP/IPSec on Windows 10.
On Windows, select Start -> Settings -> Network & Internet -> VPN -> Add a VPN connection.
Fill in the 'Add a VPN connection' tab using below screenshot as a guide. Select 'save' once done.
'Server name or address', is the IP address of the FortiGate WAN Interface.
Select connect under the newly created VPN, and it should connect and access the network behind FortiGate if everything is configured correctly.
Note that the IP specified under the Client Address Range of FortiGate is assigned to the PC.