Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎11-30-2021 09:45 AM Edited on ‎11-28-2024 11:52 PM By Moderator

Article Id 200001

Technical Tip: How to establish VPN connection between Windows 10 and FortiGate with L2TP over IPSec using PSK

Description

This article describes how to configure FortiGate so Microsoft’s L2TP/IPSec VPN client configured on Windows 10 PC will have access to the network(s) behind FortiGate in a secure manner. 

When deploying L2TP/IPSec VPN between Windows 10 PC and FortiGate, it’s possible to run into issues (where the tunnel failed to come up), if not using 'VPN Proposals' supported by Windows 10. 
Scope

FortiGate v6.2, FortiGate v6.4, FortiGate v7.0.
Solution

L2TP over IPSec can be deployed on FortiGate through CLI or GUI, it is advisable to follow the GUI configuration template on FortiGate (Under VPN -> IPSec Wizard -> VPN Setup).

 

Configuring L2TP over IPSec (GUI).

 

Step 1: 

Create a User Account:

 

A 'user account' is required on FortiGate for 'L2TP over IPSec' deployment. 

  1. Go to GUI Interface, User & Device -> User Definition -> Create New (then create a new user account – fill in required info). 
  2. Go to User & Device -> User Groups -> Create New (then create a new user group and add the user account created). 

 

ppatel_1-1638289393493.png

 

Step 2: 

Create the VPN.

 

Go to the GUI Interface, VPN -> IPsec Wizard  -> VPN Setup  -> Remote Access  -> Native  -> Windows Native (fill in required information) and select 'Next'.

 

ppatel_2-1638289393494.png
  • On the Authentication tab -> Select 'Pre-shared Key' (provide key)  -> Select 'User Group' (earlier created) and select 'Next'.

 

ppatel_3-1638289393494.png
  • On the 'Policy & Routing' tab -> Local Interface (LAN) -> Local Address (choose unit address) -> Client Add range (Fill in the desired IP range) -> Leave 'subnet Mask' as default, and select 'Next'.

 

ppatel_4-1638289393495.png

 

Note:

Do not change the 'Subnet Mask' leave it as default. 

Review the newly created VPN and once okay, select 'Create'.  

 

ppatel_5-1638289393495.png

 

 

VPN Summary: 

 

ppatel_6-1638289393496.png

 

Note:

The proposal used in phase1 (and phase 2) by the FortiGate wizard, should be supported by Windows.  The deployment will NOT work if a proposal not supported by Windows 10 (or other Windows) L2TP/IPSec is chosen. 

 

Step 3: 

Create L2TP/IPSec on Windows 10. 

 

On Windows, select Start -> Settings -> Network & Internet -> VPN -> Add a VPN connection. 

Fill in the 'Add a VPN connection' tab using below screenshot as a guide. Select 'save' once done. 

 

ppatel_7-1638289393496.png

 

Note:

'Server name or address', is the IP address of the FortiGate WAN Interface. 

 

Verification: 

Select connect under the newly created VPN, and it should connect and access the network behind FortiGate if everything is configured correctly. 

 

ppatel_8-1638289393497.png

 

Note that the IP specified under the Client Address Range of FortiGate is assigned to the PC. 

 

ppatel_9-1638289393497.png

ppatel_9-1638289393497.png

 

Related document:

L2TP in IPsec connectivity issues
53206
Submit Article Idea
Comments
gfleming
Staff
Staff
‎03-31-2023 11:26 AM

Can you please provide the output of:

 

show vpn l2tp

show vpn ipsec phase1-interface

show vpn ipsec phase2-interface

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.