Description |
This article describes how to configure FortiGate so Microsoft’s L2TP/IPSec VPN client configured on Windows 10 PC will have access to the network(s) behind FortiGate in a secure manner. When deploying L2TP/IPSec VPN between Windows 10 PC and FortiGate, it’s possible to run into issues (where the tunnel failed to come up), if not using “VPN Proposals” supported by Windows 10.
Diagram:
|
Scope |
FortiGate v6.2 FortiGate v6.4 FortiGate v7.0 |
Solution |
L2TP over IPSec can be deployed on FortiGate through CLI or GUI, it is advisable to follow the GUI configuration template on FortiGate (Under VPN > IPSec Wizard > VPN Setup), it makes life simple.
Configuring L2TP over IPSec (GUI): Step 1: Create a User Account. A “user account” is required on FortiGate for “L2TP over IPSec” deployment.
Step 2: Create the VPN > Go to CUI Interface, VPN >> IPsec Wizard >> VPN Setup >> Remote Access >> Native >> Windows Native (fill in required information) and click "Next" > On Authentication tab >> select “Pre-shared Key” (provide key) >> select "User Group" (earlier created) and click "Next" > On “Policy & Routing” tab >> Local Interface (LAN) >> Local Address (choose FW address) >> Client Add range (Fill in your desired IP range) >> Leave "subnet Mask" as default, and click "Next" Note: Don’t change the “Subnet Mask” leave it as default. Review your newly created VPN and once okay, click “Create”.
VPN Summary:
Note: The proposal used at phase1 (and phase 2) by FortiGate wizard, should be supported by Windows. Your deployment will NOT work if you choose a proposal not supported by Windows 10 (or other windows) L2TP/IPSec.
Step 3: Create L2TP/IPSec on Windows 10. On Windows, click on Start >> Settings >> Network & Internet >> VPN >> Add a VPN connection. Fill in the “Add a VPN connection” tab using below screenshot as guide. Click “save” when done.
Note: “Server name or address”, is the IP address of FortiGate WAN Interface.
Verification: Click on connect under the newly created VPN, and it should connect and access the network behind FortiGate if everything is configured correctly.
Note that the IP specified under the Client Address Range of FortiGate is assigned to the PC.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.