Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎06-24-2022 03:22 PM Edited on ‎06-24-2022 03:34 PM By Anonymous

Article Id 215796

Technical Tip: L2TP over IPSec with Split-Tunneling disabled

Description

 This articles describes how configure L2TP over IPSec with Split-Tunneling disabled and how to adjust some relevant settings to make it work compared to the configuration using the wizard.
Scope FortiGate.
Solution

How L2TP works:

 

L2TP tunneling initiates a connection between LAC (L2TP Access Concentrator – i.e., Remote User) and LNS (L2TP Network Server – i.e., FGT), the protocol’s two endpoints on the Internet.

After which, a PPP link layer is enabled and encapsulated, and afterwards it’s carried over the web using a secure connection such as IPSec vpn or other secure connections.

 

In brief, L2TP is an encapsulation protocol that need some secure connection, such as IPSec vpn, to send the traffic securely between the two communicating endpoints.

 

Configuration Steps:

To configure L2TP over an IPsec tunnel using the GUI:

 

1) Go to VPN - > IPsec Wizard .

 

FortiCommunity_0-1656099079103.png

 

2) Enter a VPN Name. In this example, 'Hello'.

 

3) Configure the following settings for VPN Setup:

           - For Template Type, select Remote Access.

           - For Remote Device Type, select Native and Windows Native.

           - Select 'Next'.  

 

Configure the remaining settings as in the following screenshots for authentication, routing, etc. and keep hitting next until the tunnel is created (port1 is the public interface and port2 is the internal interface):

 

FortiCommunity_1-1656099079109.png

 

FortiCommunity_2-1656099079116.png

 

FortiCommunity_3-1656099079119.png

 

FortiCommunity_4-1656099079122.png

 

After tunnel creation using the wizard, the firewall policies created by wizard will look like:

 

FortiCommunity_5-1656099079127.png

 

Change the firewall policies to look like the following:

 

- Change the service to ALL on first firewall policy from Hello -> port1.

 

- Change NAT to Enabled on the same firewall policy (to allow all Internet traffic).

 

- Change NAT to Disabled on second firewall policy from Hello -> port2 (to be able to see the source ip addresses of the remote users).

 

FortiCommunity_6-1656099079130.png

 

Results:

After configuring the above and the Windows PC the tunnel should come up and activated:

 

FortiCommunity_7-1656099079133.png

 

Relevant CLI configuration (optional):

 

- Enable net-device to allow more than 1 remote connection from behind the same NAT device:


FortiCommunity_8-1656099079139.png

 

-  Enable enforce-ipsec to force the L2TP to only run over IPSec connection:


FortiCommunity_9-1656099079142.png

 

Sample Outputs (can be used as reference output):

 

-  Check the status of the L2TP on FGT as per the following:

 

FortiCommunity_10-1656099079151.png

 

FortiCommunity_11-1656099079154.png

 

FortiCommunity_12-1656099079159.png

 

- Check the status of the L2TP on the Windows PC as per the following:

 

FortiCommunity_13-1656099079166.png

 

FortiCommunity_14-1656099079190.png

 

To debug the L2TP issues, run regular ike debug commands, ppp debug commands, and l2tp debug commands together or in the shown order:

 

diagnose debug application ike -1

diagnose debug application ppp -1

diagnose debug application l2tp -1
1188
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.