FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jgillies01
Staff
Staff

Description
This article describes how to access L2TP/IPsec VPN tunnel from different Windows native clients behind the same NAT IP address.

Useful link:
Fortinet Documentation: New route-basedIPsec logic


Scope
FortiGate v5.6.3
FortiGate v6.0
FortiGate v6.2

Solution
Formerly FortiOS was creating only one Dialup interface for every L2TP/IPsec tunnel, so If two users are behind the same NAT device, only one of them could successfully access the tunnel.

As of FortiOS version 6.0 & 5.6.3, a new behavior is implemented for routing traffic to IPsec dialup tunnels.
A new option is added to IPsec phase1 configuration using this command:

# config vpn ipsec phase1-interface
edit “VPN-phase1”
set net-device enable
end 

net-device enable” creates dynamic interface for each dialer.
This helps FortiOS distinguish multiple requests coming from multiple Windows clients NATed by the same IP address.


 
 

 

Contributors