FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Description


This article describes how to setup split-tunnelling on L2TP/IPSEC VPN between FortiGate and Windows 10. 

FortiOS does not support Split-tunneling unless we use FortiClient. 

 

Some customers have mixed environments, and it is necessary to be able to utilize the OS native VPN client.

Related documents.
IP to HEX.
https://www.browserling.com/tools/ip-to-hex 
HEX to IP.

https://www.browserling.com/tools/hex-to-ip

 

Scope

 

For versions 7.0.1 and above.

 

Solution

 

L2TP VPN over IPSEC is still used in many environments, some customers want to have split tunneling when L2TP VPN over IPSEC is configured. 

 

If the traditional way is used, configured L2TP range can access only IP addresses from that range, because the Firewall does not provide additional routes.

 
This can be solved by using a DHCP server configured on the L2TP interface with option 121.
 
Starting with FortiOS 7.0.1 it is possible to configure DHCP on L2TP with specifying a range.
 
Topology example.
 
 
 
Configure L2TP over an IPsec tunnel from GUI.
 
Configure a user, in this example, 'FW user authentication' will be used:
 
1) Go to User & Authentication -> User Definition and select 'Create New'. 
2) Select 'Local User'and select 'Next'.
 
 
3) Enter the user name, in this case, 'l2tpuser'.
 
 
4) Select 'Next' to be ready.
 
A newly created user will be included in user group 'l2tp_usergroup':
 
 
5) Create an L2TP VPN using the building VPN wizard:
 
 
 
6) As a local interface and addresses configure those IP addresses and interfaces which remote VPN users need to connect, for example, 'port2' and 'port3' of the FortiGate.
 
 
 
 
This wizard created 2 policy rules from 'l2tp.root' interface to 'port2' and 'port3', but with this configuration, the remote VPN users can access only 192.168.60.0/24 network and no other routes are received. 
For that reason, it is possible to configure DHCP on 'l2tp.root' interface with option 121, which is only possible with FortiOS 7.0.1 onwards.
 
7) Configure the IP address for the 'l2tp.root' interface, using the first usable IP address from L2tp range.
 
 
8 ) Enable the DHCP server, lease address range 0.0.0.0-0.0.0.0, and select 'advanced':
 
 
9) On the additional DHCP options, select 'Create new':
 
 
Option 121 will push static routes from DHCP, this option uses the hexadecimal representation of decimal values, option 121 define the following:
 
- Subnet mask in CIRD notation.
- Destination subnet .
- Next hop.
 
In this case, 2 static routes as follow are attempted to be pushed:
 
192.168.2.0/24 via 192.168.60.1 and 192.168.1.0/24 via 192.168.60.1 which are connected networks to port2 and port3.
 
Route 1: 192.168.2.0/24 via 192.168.60.1 converted to HEX value:
 
Decimal value                HEX value 
/24                                18
192.168.2.0                   C0A802
192.168.60.1                 C0A83C01
 
192.168.2.0/24 via 192.168.60.1 -> 18C0A802C0A83C01
 
Route 2: 192.168.1.0/24 via 192.168.60.1 converted to HEX value:
 
Decimal value                HEX value 
/24                                18
192.168.1.0                   C0A801
192.168.60.1                 C0A83C01
 
192.168.1.0/24 via 192.168.60.1 -> 18C0A801C0A83C01
 
Final HEX value:
 
18C0A802C0A83C0118C0A801C0A83C01
 
To push more than 2 routes, just add the third HEX converted route after the last one.
 
From CLI.
 
# config system dhcp server
edit 1
set default-gateway 192.168.60.1
set netmask 255.255.255.255
set interface "l2t.root"
config options
edit 1
set code 121
set value "18C0A802C0A83C0118C0A801C0A83C01"
next
end
next
end

 

Windows 10 output:

 

kb_20808_13.png

 

Related Articles

 

Technical Tip: How to connect Windows 10 client to L2TP VPN network

Technical Tip: FortiGate VRRP configuration and debug

Contributors