Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎12-26-2022 10:59 PM

Article Id 241006

Technical Tip: Native L2Tp over IPsec for Windows clients when FortiGate is behind a NAT device

Description

 

This article describes the configuration required for Native L2TP on Microsoft Windows clients if FortiGate is placed behind a NAT device.

 

Scope

 

FortiGate, Windows Native L2TP over IPsec.

 

Solution

 

This article assumes that the configuration has already been performed in FortiGate, and a VPN connection has been configured in Windows Client.
Below there is an example of L2TP configuration steps in FortiGate.


Technical Tip: Setup L2TP over IPSEC VPN on FortiGate with LDAP authentication.

 

Note.

There has been a change in FortiOS design starting with version 7.0.1. If device firmware has been upgraded from 6.4.x or 7.0.0 to 7.0.1 and later, manual configuration changes are required as below.


Technical Tip: Manual update of L2TP over IPsec configuration after upgrading from 6.4.x or 7.0.0 to...

 

Generally, L2TP clients are located behind a NAT device, and the server is usually public facing. However, in some cases the FortiGate may be located behind a NAT device, especially if it is cloud-hosted such as Azure, AWS, GCP, OCI, and others.

By default, Microsoft Windows does not support IPsec Security Associations to a server located behind a NAT device. A registry key must be configured to enable NAT-T on the client.

 

1) Open the registry editor in Windows.
Select Start -> All Programs -> Accessories -> Run, then type 'regedit'.

 

2) Browser to registry subkey below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

 

3) Create a new DWORD (32-bit) registry value with the string below.

AssumeUDPEncapsulationContextOnSendRule

 

4) Enable NAT-T for both devices located behind NAT.

In the Value Data field, type '2'.

 

Microsoft Windows - How to enable NAT-T from registry.

 
Note.

Meaning of value for the Value Data field.

0 - When both FortiGate and Client are not behind a NAT device.

1 - When FortiGate is behind a NAT device, but Client is not.

2 - When both FortiGate and Client are behind a NAT device.

 

Related Articles

Troubleshooting Tip: L2TP in IPsec connectivity issues

Technical Tip: Setup L2TP over IPSEC VPN on FortiGate with LDAP authentication
Technical Tip: Manual update of L2TP over IPsec configuration after upgrading from 6.4.x or 7.0.0 to...
Microsoft Windows - How to enable NAT-T from registry

2047
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.