Description | This article explains how to troubleshoot and resolve internet connectivity issues that arise when using the Windows native client for L2TP over IPsec VPN with FortiGate. |
Scope | FortiOS, FortiGate, Windows Native Client |
Solution |
This configuration is based on the default template generated by the FortiGate IPsec wizard. The only modification made is the subnet range, which has been set to 10.0.10.0/24. For detailed instructions on using the suggested template, refer to the article: Technical Tip: How to enable split tunneling in Windows 10 (L2TP/PPTP VPN).
When using the Windows native client for L2TP connection, enabling the 'Use default gateway on remote network' may cause internet connectivity issues. To diagnose the issue, run a sniffer on the FortiGate and initiate a ping from the client machine to an external IP address (e.g., 1.1.1.1) to verify if traffic reaches the FortiGate:
dia sniffer packet any "host <Client IP address> and icmp" 4 0 l
If no traffic is observed on the FortiGate, check the local routing table on the Windows machine. Enable the 'Use default gateway on remote network' option by following the KB article: Technical Tip: How to enable split-tunneling in Windows 10 (L2TP/PPTP VPN).
Enabling the 'Use default gateway on remote network' will redirect traffic from the Windows client to the FortiGate. Once enabled, verify that the ping traffic to 1.1.1.1 is reaching the FortiGate by re-running the sniffer. ICMP packets should be arriving at the FortiGate as shown in the screenshot below:
After applying the solution, traffic should redirect to the FortiGate. However, if internet access remains non-functional, ensure that the configuration aligns with the guidelines provided in the article: Technical Tip: How to establish VPN connection between Windows 10 and FortiGate with L2TP over IPSec...
The sniffer output indicates that traffic is originating from the 'l2t.root' interface instead of the expected IPsec tunnel interface ('<interface name>'). In such cases, ensure that all policies and configurations requiring the selection of the tunnel interface are updated to use 'l2t.root' instead.
The following firewall policies should be configured to ensure proper traffic flow:
The next step is to run the following debugs and observe the error:
dia deb res
The debug output displayed the error 'reverse path check fail, drop' as it shown in the screenshot below:
To resolve the issue with returning traffic to the client, navigate to Network -> Static Route and create a new static route with the client's subnet '10.0.10.0/24' as destination and interface as 'l2t.root' to resolve this issue for the returning traffic to the client:
After applying the static route, traffic should flow correctly through the FortiGate, allowing successful pings to the internet (e.g., 1.1.1.1) and the FortiGate LAN interface IP.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.