FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff
Article Id 367662
Description This article explains how to troubleshoot and resolve internet connectivity issues that arise when using the Windows native client for L2TP over IPsec VPN with FortiGate.
Scope FortiOS, FortiGate, Windows Native Client
Solution

This configuration is based on the default template generated by the FortiGate IPsec wizard. The only modification made is the subnet range, which has been set to 10.0.10.0/24.

For detailed instructions on using the suggested template, refer to the article: Technical Tip: How to enable split tunneling in Windows 10 (L2TP/PPTP VPN).

 

When using the Windows native client for L2TP connection, enabling the 'Use default gateway on remote network' may cause internet connectivity issues.

To diagnose the issue, run a sniffer on the FortiGate and initiate a ping from the client machine to an external IP address (e.g., 1.1.1.1) to verify if traffic reaches the FortiGate:

 

dia sniffer packet any "host <Client IP address> and icmp" 4 0 l

 

If no traffic is observed on the FortiGate, check the local routing table on the Windows machine. Enable the 'Use default gateway on remote network' option by following the KB article: Technical Tip: How to enable split-tunneling in Windows 10 (L2TP/PPTP VPN).

 

Enabling the 'Use default gateway on remote network' will redirect traffic from the Windows client to the FortiGate.

Once enabled, verify that the ping traffic to 1.1.1.1 is reaching the FortiGate by re-running the sniffer. ICMP packets should be arriving at the FortiGate as shown in the screenshot below:

            5.1.png


After applying the solution, traffic should redirect to the FortiGate. However, if internet access remains non-functional, ensure that the configuration aligns with the guidelines provided in the article: Technical Tip: How to establish VPN connection between Windows 10 and FortiGate with L2TP over IPSec...

 

The sniffer output indicates that traffic is originating from the 'l2t.root' interface instead of the expected IPsec tunnel interface ('<interface name>'). In such cases, ensure that all policies and configurations requiring the selection of the tunnel interface are updated to use 'l2t.root' instead.

 

The following firewall policies should be configured to ensure proper traffic flow:

  • From LAN to l2t.root.
  • From l2t.root to LAN.
  • From l2t.root to WAN.

 

The next step is to run the following debugs and observe the error:

 

dia deb res
dia deb dis
dia deb flow filter addr 1.1.1.1
dia deb flow filter proto 1
dia deb flow show function-name enable
dia deb flow trace start 100
dia deb enable

 

The debug output displayed the error 'reverse path check fail, drop' as it shown in the screenshot below:

5.2.png

 

To resolve the issue with returning traffic to the client, navigate to Network -> Static Route and create a new static route with the client's subnet '10.0.10.0/24' as destination and interface as 'l2t.root' to resolve this issue for the returning traffic to the client:


config router static
    edit 4
        set status enable
        set dst 10.0.10.0 255.255.255.0
        set distance 10
        set weight 0
        set priority 1
        set device "l2t.root"
        set comment ""
    next
end

 

After applying the static route, traffic should flow correctly through the FortiGate, allowing successful pings to the internet (e.g., 1.1.1.1) and the FortiGate LAN interface IP.


Debugs with traffic working:

 

5.4.png