This article descrbes how to configure FortiGate so Microsoft’s L2TP/IPSec VPN client configured on Windows 10 PC will have access to network(s) behind FortiGate in a secure manner.
When deploying L2TP/IPSec VPN between Windows 10 PC and FortiGate, it’s possible you run into issues (where the tunnel failed to come up), if 'VPN Proposals' supported by Windows 10 is not used.
2 certificates are needed (Server and Client certificates signed by SAME CA (certificate Authority)).
1) The Server Certificate have to be imported to FortiGate.
2) The CA certificate have to be imported to FortiGate.
- Client Certificate & CA imported to Windows 10 (under 'Local Computer').
1) access to the protected corporate network is required from a remote location with only access to the Internet and it will not be necessary to install additional VPN software on the Windows 10 PC.
2) To have more secure than PPTP (Point to Point Tunneling Protocol).
Although, L2TP over IPSec can be deployed on FortiGate through CLI or GUI, it is advisable to follow the GUI configuration template on FortiGate (Under VPN -> IPSec Wizard -> VPN Setup), it makes life simple.
Configuring L2TP over IPSec (GUI):
Create User Account.
A 'user account' on FortiGate for 'L2TP over IPSec' deployment.
1) Go to User & Device -> User Definition and select 'Create New' (then create new user account – fill in required info).
2) Go to User & Device -> User Groups and select 'Create New' (then create new user group and add user acct. created).
Create the VPN.
Go to VPN -> IPsec Wizard -> VPN Setup -> Remote Access -> Native -> Windows Native (fill in required information) and select 'Next'.
On Authentication tab, select 'Pre-shared Key' (provide key), select 'User Group' (earlier created) and select 'Next'.
On Policy & Routing tab -> Local Interface (the LAN) -> Local Address (choose FW address) -> Client Add range (Fill in the desired IP range), leave 'subnet Mask' as default, and select 'Next'.
Do not change the 'Subnet Mask' leave it as default.
Review the newly created VPN and once okay, select 'Create'.
The proposal used at phase1 (and phase 2) by FortiGate wizard, this is very important in case to use CLI.
The deployment will NOT work if proposal not supported is chosen by Windows 10 (or other windows) L2TP/IPSec.
Create L2TP/IPSec on Windows 10.
On Windows, select 'Start' -> Settings -> Network & Internet -> VPN and Add a VPN connection.
Fill in the 'Add a VPN connection' tab using below screenshot as guide. select 'save' once done.
'Server name or address', is the IP address of FortiGate WAN Interface.
It is necessary to go to Network & Internet, change 'Adapter Settings” on Window and set the L2TP adapter as shown below.
Import the client cert. to Personal -> Certificates and CA cert to Trusted Root Certification Authorities -> Certificates” on Windows.
Select connect under the newly created VPN, and it will be possible to connect and access the network behind FortiGate if everything is alright.
- On FortiGate ttunnel will show UP and number of dialup connection(s).
On windows, The VPN L2TP_W10Tunnel is connected.
Note that the IP we specified under Client Address Range of FortiGate is assigned to the PC.