| Description |
This article describes why it is not possible to select an incoming interface while creating an IPSec tunnel using IPsec native Windows wizard. |
| Scope |
FortiGate 7.0, 7.2. |
| Solution |
When doing the automated method to create an IPsec native Windows, the wizard ends up creating all the objects necessary for a proper tunnel. In this case (when IPSEC incoming interface is part of a Zone - for Android and Windows native), the wizard needs to create an L2TP policy from the tunnel interface to the phase-1 binding interface.
Policies do not allow to select zone members as a source or destination so this policy cannot be created from the wizard. If preferring to use the wizard, one should first create the tunnel binding to a different interface (dummy/unused port not part of a Zone). .
Then after tunnel creation, it will be necessary to edit the tunnel interface to the desired one (VPN -> IPSec Tunnels -> Edit 'Tunnel' Dialup - Windows -> Incoming interface).
Also, it is needed to change the destination interface on the firewall policy from the 'tunnel' interface with the phase-1 binding interface to outside (select the appropriate zone).
|
