Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KDalbjerg
New Contributor

Fortigate and L2TP traffic

I have setup L2TP on my Fortigate.

I can connect just fine, but no traffic is passing though.
I can't see the traffic in Forward Traffic.

My config:
config vpn l2tp
set status enable
set eip 10.170.7.254
set sip 10.170.7.1
set enforce-ipsec enable
set usrgrp "UG_XXX"
end

config vpn ipsec phase1
edit "XXX_L2TP"
set type dynamic
set interface "Outside_ITC-HSH"
set peertype any
set proposal 3des-sha1 aes192-sha1 aes256-md5
set dpd disable
set dhgrp 2
set psksecret ENC XXXXXXXXXXXXXX

next
end

config vpn ipsec phase2
edit "XXX_L2TP"
set phase1name "XXX_L2TP"
set proposal 3des-sha1 aes192-sha1 aes256-md5
set pfs disable
set encapsulation transport-mode
set l2tp enable
set keylifeseconds 86400
next
end

config firewall policy
edit 7
set name "L2TP"
set uuid 2ce058fc-493e-51ec-c012-283ea33c9dd4
set srcintf "2012_XXX"
set dstintf "Outside_XXX"
set action ipsec
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inbound enable
set vpntunnel "XXX_L2TP"
next
edit 8
set name "L2TP ingoing"
set uuid a63e7bce-493f-51ec-a50c-8e50916a25c3
set srcintf "Outside_XXX"
set dstintf "2012_XXX"
set action accept
set srcaddr "Net_XXX"
set dstaddr "any"
set schedule "always"
set service "ALL"
next

end



XXX is not its real name, but it have been anonymous 


I can connect just fine for my Windows machine, but i can't ping anything behind the firewall, and i don't see the traffic in Forward Traffic. Can anyone help ?

1 REPLY 1
hrahuman_FTNT

Hi,

 

can  you run the debug flow towards internal server and check?

 

diag debug enable

diag debug flow filter clear

(diag debug flow filter without further params shows the current list of filters)

diag debug flow filter <filter>

(you can set more then one filter, like saddr <ip> and daddr <ip> by using the command multiple times)

diag debug flow trace start <numberofpackets>

 

So if you want to see all traffic from 192.168.1.1 to 192.168.2.3 you would do

diag debug enable

diag debug flow filter clear (empty all the filter settings first)

diag debug flow filter saddr 192.168.1.1

diag debug flow filter daddr 192.168.2.3

you could do diag dbug flow filter afterwards to see if all is set correctly

 

diag debug flow trace start 100 (trace 100 packets)

 

-Habeeb

-Habeeb