FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description

This article describes how to configure FortiGate so Microsoft’s L2TP/IPSec VPN client configured on Windows 10 PC will have access to the network(s) behind FortiGate in a secure manner. 

When deploying L2TP/IPSec VPN between Windows 10 PC and FortiGate, it’s possible to run into issues (where the tunnel failed to come up), if not using “VPN Proposals” supported by Windows 10. 

 

Diagram:

ppatel_0-1638289352404.png

 

 

Scope

FortiGate v6.2 

FortiGate v6.4 

FortiGate v7.0

Solution

L2TP over IPSec can be deployed on FortiGate through CLI or GUI, it is advisable to follow the GUI configuration template on FortiGate (Under VPN > IPSec Wizard > VPN Setup), it makes life simple.  

 

Configuring L2TP over IPSec (GUI): 

Step 1: Create a User Account. 

A “user account” is required on FortiGate for “L2TP over IPSec” deployment. 

  1. Go to GUI Interface, User & Device >> User Definition >> Create New (then create a new user account – fill in required info). 
  1. Go to, User & Device >> User Groups >> Create New (then create new user group and add user acct. you just created). 
ppatel_1-1638289393493.png

 

 

 

 

Step 2: Create the VPN 

 > Go to CUI Interface, VPN >> IPsec Wizard  >> VPN Setup  >> Remote Access  >> Native  >> Windows Native (fill in required information) and click "Next" 

ppatel_2-1638289393494.png

> On Authentication tab >> select “Pre-shared Key” (provide key)  >> select "User Group" (earlier created) and click "Next" 

ppatel_3-1638289393494.png

> On “Policy & Routing” tab >> Local Interface (LAN) >> Local Address (choose FW address) >> Client Add range (Fill in your desired IP range) >> Leave "subnet Mask" as default, and click "Next" 

ppatel_4-1638289393495.png

Note: Don’t change the “Subnet Mask” leave it as default. 

Review your newly created VPN and once okay, click “Create”.  

ppatel_5-1638289393495.png

 

 

VPN Summary: 

ppatel_6-1638289393496.png

 

 

 

 

Note: The proposal used at phase1 (and phase 2) by FortiGate wizard, should be supported by Windows.  Your deployment will NOT work if you choose a proposal not supported by Windows 10 (or other windows) L2TP/IPSec. 

 

Step 3: Create L2TP/IPSec on Windows 10. 

On Windows, click on Start >> Settings >> Network & Internet >> VPN >> Add a VPN connection. 

Fill in the “Add a VPN connection” tab using below screenshot as guide. Click “save” when done. 

ppatel_7-1638289393496.png

 

Note: “Server name or address”, is the IP address of FortiGate WAN Interface. 

 

Verification: 

Click on connect under the newly created VPN, and it should connect and access the network behind FortiGate if everything is configured correctly. 

ppatel_8-1638289393497.png

 

 

 

 

Note that the IP specified under the Client Address Range of FortiGate is assigned to the PC. 

ppatel_9-1638289393497.png

 

 

Contributors