DescriptionThis article describes how to access L2TP/IPsec VPN tunnel from different Windows native clients behind the same NAT IP address.Useful link:Fortinet Documentation: New route-basedIPsec logicScopeFortiGate v5.6.3FortiGate v6.0FortiGate v6.2SolutionFormerly FortiOS was creating only one Dialup interface for every L2TP/IPsec tunnel, so If two users are behind the same NAT device, only one of them could successfully access the tunnel.As of FortiOS version 6.0 & 5.6.3, a new behavior is implemented for routing traffic to IPsec dialup tunnels. A new option is added to IPsec phase1 configuration using this command:
# config vpn ipsec phase1-interfaceedit “VPN-phase1”set net-device enableend
“net-device enable” creates dynamic interface for each dialer. This helps FortiOS distinguish multiple requests coming from multiple Windows clients NATed by the same IP address.