FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff
Article Id 216296

Description

 

This article describes the settings required on FortiGate and Windows 10 client in order to successfully connect to L2TP over IPSec VPN with LDAP authentication and access resources behind FortiGate.

 

Scope

 

FortiOS 7.0 onward.

 

Solution

 

FortiGate configuration:

 

  1. Set up the LDAP profile under User & Authentication -> LDAP server:

 

athirat_0-1656532698072.png

 

  1. Create a user group corresponding to AD group under User & Authentication - > User groups:

 

athirat_1-1656532781882.png

 

  1. Create a VPN by using the wizard and make use of the 'remote access' and 'native windows' template.  

 

NOTE:

Set the authentication method as 'Pre-shared key' and select the AD user group.

It would look like below in CLI:

 

config vpn ipsec phase1-interface
    edit "ipsec-l2tp"
      set type dynamic
      set interface "port1"
      set peertype any
      set net-device enable
      set proposal aes256-md5 3des-sha1 aes192-sha1
      set comments "VPN: ipsec-l2tp (Created by VPN wizard)"
      set dhgrp 2
      set wizard-type dialup-windows
      set psksecret ENC hb3pmKyut/c3zGiYuQJAIXb9BP27QzrDsaKc10C+sNFevSgdbgKLkV+YT+bj12ailMFdzXcolWO06jlhdNlwNxcgi7Yj0zzHLvb36b20QcxBsr6JJMy/fBbzWgxkKPYfngiuNA1bvgwj9aMREz0FVJ7yOoSDIdFZmhShHMc+PdKt4A91nFFDgkh7BTvIh5qw+Bl+qA==
    next
  end

 

Note: 'net-device' must be enabled in order to allow multiple VPN connections from behind the same NAT device (the same public IP address).

 

config vpn ipsec phase2-interface
    edit "ipsec-l2tp"
      set phase1name "ipsec-l2tp"
      set proposal aes256-md5 3des-sha1 aes192-sha1
      set pfs disable
      set encapsulation transport-mode
      set l2tp enable
      set comments "VPN: ipsec-l2tp (Created by VPN wizard)"
      set keylifeseconds 3600
    next
  end

 

config vpn l2tp
    set status enable
    set eip 1.1.1.10
    set sip 1.1.1.1
    set usrgrp "domain_users"
  end

 

  1. In FortiOS 7.0, two policies are required:

 

config firewall policy
    edit 1    ---> This will be used for L2TP tunnel setup 
      set name "vpn_ipsec-l2tp_l2tp"
      set uuid ac305d9e-f7e1-51ec-7867-47660df85033
      set srcintf "ipsec-l2tp"
      set dstintf "port1"
      set action accept
      set srcaddr "all"
      set dstaddr "all"
      set schedule "always"
      set service "L2TP"
      set comments "VPN: ipsec-l2tp (Created by VPN wizard)"
    next
    edit 2   <----- This will be used for traffic across tunnel 
      set name "vpn_ipsec-l2tp_remote_0"
      set uuid ac397f14-f7e1-51ec-b9fe-6aed4fa2c994
      set srcintf "l2t.root"
      set dstintf "port2"
      set action accept
      set srcaddr "ipsec-l2tp_range"
      set dstaddr "lan"
      set schedule "always"
      set service "ALL"
      set nat enable
      set comments "VPN: ipsec-l2tp (Created by VPN wizard)"
    next
  end

 

Client configuration:

 

  1. On Windows, select Start -> Settings -> Network & Internet -> VPN -> Add a VPN connection. 

 

athirat_3-1656533954673.png

 

  1. Due to point-to-point protocol limitations, only PAP is supported for LDAP authentication for L2TP.

    It is highly important to set this under VPN adaptor properties to be able to connect to VPN successfully.

    To set PAP:

    Go to adaptor Properties - > Security and select PAP as below:

 

athirat_4-1656534123814.png

 

Verfication:

 

If PAP is not explicitly set under client adapter settings, the connection will fail with the following error in L2TP debugs on FortiGate:

 

l2tp_ppp_recv()-525: tunnel=1 (len=64)
RCV: CHAP Response id(1)
SND: CHAP Failure id(1) msg(Authentication Fail!O1)
l2tp_ppp_send()-345: tunnel=1
MSCHAP-v2 peer authentication failed for remote host <username>: LCP Termiate_Request id(5) len(25)
l2tp_ppp_send()-345: tunnel=1
l2tp_handle_ppp_packet()-197:
l2tp_ppp_recv()-525: tunnel=1 (len=29)
RCV: LCP Terminate_Ack id(5) len(25)
Connection terminated.

 

On a successful connection:

 

diag vpn ike gateway list

vd: root/0
name: ipsec-l2tp_0
version: 1
interface: port1 3
addr: 10.5.27.1:500 -> 10.5.25.1:500
tun_id: 10.5.25.1/::10.0.0.5
remote_location: 0.0.0.0
created: 11s ago
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 20/20/20 ms

id/spi: 6 98dd5febdb7cbbce/6d34247b5bfb1fcb
direction: responder
status: established 11-11s ago = 10ms
proposal: 3des-sha1
key: 0c176b18ba911f63-68476d0d7860feb4-ccc1f23d85597d44
lifetime/rekey: 28800/28518
DPD sent/recv: 00000000/00000000

 

diag vpn tunnel list
name=ipsec-l2tp_0 ver=1 serial=5 10.5.27.1:0->10.5.25.1:0 tun_id=10.5.25.1 tun_id6=::10.0.0.5 dst_mtu=1500 dpd-link=on weight=1
bound_if=3 lgwy=static/1 tun=tunnel/255 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1 overlay_id=0
parent=ipsec-l2tp index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=4 ad=/0
stat: rxp=67 txp=20 rxb=6307 txb=1140
dpd: mode=on-demand on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ipsec-l2tp proto=17 sa=1 ref=3 serial=1 transport-mode add-route
src: 17:10.5.27.1-10.5.27.1:1701
dst: 17:10.5.25.1-10.5.25.1:0
SA: ref=3 options=20182 type=00 soft=0 mtu=1470 expire=3576/0B replaywin=2048
seqno=15 esn=0 replaywin_lastseq=00000043 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3591/3600
dec: spi=511656c5 esp=3des key=24 1046f73abfe8085201264c692c7cb63c6073f33e23930157
ah=sha1 key=20 7003236905bb0912758cec75fb451b90bf35fe4c
enc: spi=3181a9c6 esp=3des key=24 19850800e3f80aba66cd4a1bec04ff5ab99e05d52f69d678
ah=sha1 key=20 b7c480f88cf405333397d298030f626327508441
dec:pkts/bytes=134/12614, enc:pkts/bytes=40/2956
npu_flag=00 npu_rgwy=10.5.25.1 npu_lgwy=10.5.27.1 npu_selid=3 dec_npuid=0 enc_npuid=0

 

diag debug enable 

 

diag vpn l2tp tunnel

--- L2tp tunnels (VD: 0) -------
-----------------------
Num of tunnels: 1
-----------------------
Tunnel ID = 1 (local id), 6 (remote id) vfid = 0 vrf = 0
peer 10.5.25.1:1701 duration = 28
control_seq_num = 2, control_rec_seq_num = 4,
last recv pkt = 2
Call ID = 1 (local id), 1 (remote id), serno = 0
assigned ip = 1.1.1.2
data_seq_num = 0,
tx = 654 bytes (19), rx= 6642 bytes (81)

Contributors