Description | This article describes a major change which has been made to the behavior of L2TP on the FortiGate 7.x firmware. This requires changes to be made in the configuration of the FortiGate. |
Scope | FortiGate upgraded from 6.4 to 7.X. |
Solution |
Setup used for this lab:
The client 10.146.12.129 is connected to the FortiGate through L2TP.
L2TP/IPSec details:
L2TP pool:
Phase2 configuration:
config vpn ipsec phase2-interface L2TP enabled:
config vpn l2tp
The usrgrp group_l2tp is configured with one user for testing purposes. A static route is set to reach the destination 10.128.17.134 through port 13. Two firewall policies are needed in this set up: A Firewall policy to 'bridge' the IPsec interface to the physical/aggregate/VLAN interface.
edit 1
A Firewall policy to allow the traffic from the VPN client to the destination.
edit 2
These Firewall rules can be refined for better filtering.
6.4 branch behavior:
Once connected to the FortiGate, perform a ping to the destination 10.128.17.134 to see which interfaces are involved with L2TP.
When a ping request is sent from the client, the interface's ppp1 receives the ping (in). This packet is forwarded to port13 (out) where the destination is.
After the upgrade to 7.X branch, with all the modification explained below:
The behavior is different. It is an interface named l2t.<vdom> (l2t.root in this example) that handles the traffic. This interface replaced the ppp1 seen in the example of version 6.4. This will require some modifications to restore the l2tp service.
edit 0 set dst 10.10.10.0 255.255.255.0 set device "l2t.root" next
edit 2 set name "l2tp-p1-p13" set srcintf "l2t.root" <- Change the interface from phase1 to the l2t.<vdom>. next
Note that the firewall rules needed to bridge the IPsec interface and the physical port / aggregate are still required.
edit 1 set name "l2tp-p1-p11bridge” set srcintf "l2tp-phase1" set dstintf "port11" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" next
No changes are required in the IPsec configuration either.
Related document: L2TP over IPsec configuration needs to be manually updated after upgrading from 6.4.x or 7.0.0 to 7.... |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.