The user is unable to connect to L2TP over IPsec despite the configuration being correct. Configuration guide: L2TP over IPsec 

The user encounters the following error while connecting to the tunnel:

Run IKE and L2TP debug commands while attempting to connect:

diagnose debug reset

diagnose debug application ike -1

diagnose debug application l2tp -1

diagnose debug console time enable
diagnose debug enable

To stop the debug:

diagnose debug disable

After the IPsec tunnel is established, the L2TP negotiation takes place,e and it shows the following error.

2025-07-02 11:12:16 handle_one_network_packet()-154: Received L2TP packet from xx.xx.xx.xx:4500, len=105, tun=0, call=0
2025-07-02 11:12:16 L2TPD 95: 288:Unable to create tunnel for host xx.xx.xx.xx, port 4500L2TPD encountered an internal error. This may be a sign that the firewall is low on resources.

The FortiGate is using optimal resources, and the cause is not due to high CPU or memory utilization. 

Restarting the L2TP process can resolve the issue temporarily: 'fnsysctl killall l2tpd'.

However, after some time, the problem can reappear.

The proper workarounds are either:

• Enable enforce-ipsec, Command supported onwards v7.0.13:

config vpn l2tp
    set status enable
    set eip 10.xx.xx.xx
    set sip 10.xx.xx.xx

    set enforce-ipsec enable
    set usrgrp "L2TP_Group"
end

• Enable the hello timer and shorten the timeout:

config vpn l2tp
    set status enable
    set eip 10.xx.xx.xx
    set sip 10.xx.xx.xx
    set lcp-echo-interval 3600
    set lcp-max-echo-fails 24
    set hello-interval 0
    set usrgrp "L2TP_Group"
end

Note: This issue has been identified as Bug 1169860 and has been resolved in versions 7.4.9, 7.6.4, 8.0.0, and later.