Technical Tip: Internet access while connecting to the L2TP tunnel

enguyen3467 · ‎11-29-2023

Description

This article describes the case when connecting to the L2TP tunnel, by default, all traffic will be routed to the tunnel. As a result, if the L2TP tunnel has been created with the IPSec wizard on the FortiGate, the endpoint will not be able to connect to the Internet:

Scope

FortiGate.

Solution

In most cases, L2TP has full-tunneling enabled. It is possible to disable this option either on the local PC, or globally on the FortiGate.
To disable it locally on the PC, follow this article: Technical Tip : How to enable split-tunneling in Windows 10 (L2TP/PPTP VPN).
To disable globally on the FortiGate, follow this article: Technical Tip: Split tunneling on L2TP/IPSEC VPN between FortiGate and Windows 10.

If the intention is to have full-tunneling enabled, follow these steps to allow this traffic:
Create a firewall policy from the L2TP tunnel (l2t.root, not the IPsec tunnel created) to the WAN interface with NAT enabled:

The CLI configuration equivalent for this is:

config firewall policy

edit 5

set name "L2TP-to-Internet"

set srcintf "l2t.root"

set dstintf "virtual-wan-link"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

As a result, the endpoint should now be able to connect to the Internet while connecting to the L2TP tunnel:

Technical Tip: Internet access while connecting to the L2TP tunnel

You are leaving our website