We recently started testing replacing our current firewall (Endian) with a Fortigate as a our HQ main firewall.
We successfully set-up a Site-to-Site IPSEC tunnel to one of our branches (branch still using an Endian firewall) on the Fortigate.
Afterwards we set-up a L2TP Remote Access tunnel (Windows Native) to the Fortigate.
Both the Site-to-Site and L2TP tunnel work perfectly.
But, when connecting to the HQ Fortigate via. L2TP we cannot reach the branch which is connected via site-to-site.
We haven't yet found a working combination of firewall policies and static routes to allow the L2TP tunnel client to access the firewall behind the site-to-site.
How would we best go about this and what might we have missed?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You should also check if you lt2p subnet is allowed on the phase2 selectors of the site to site tunnel.
It also might be a policy or routing issue.
You can collect a debug flow and see why the traffic is not processed.
You can collect the output of the below commands while generating traffic from an l2tp client to the branch:
diag debug reset
diag debug flow filter addr x.x.x.x y.y.y.y and
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable
Where x.x.x.x is the source IP address and y.y.y.y the destination IP address
To stop the debug, type:
diag debug disable
diag debug reset
Best Regards,
Nikos
Hi,
I hope that you at least use L2TP over IPSec and not pure old L2TP with no encryption at all.
However, instead of fixing dead L2TP I would humbly suggest to reconsider the VPN schema and drop down L2TP use, completely. It's 22 years old protocol with zero protection!
All modern OS are able somehow directly, or with help of supplicants like FortiClient, to use IPSec or at least SSL VPN. Some even allows you to use IPSec with IKEv2. Even on mobile platforms like Android or Apple iOS.
So instead of unprotected prehistoric L2TP I'd suggest to use IPSec completely.
As hub (on HQ FortiGate) &spoke (on branch offices) + dialup (for mobile road warriors).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Team,
You need to have firewall policy with source as l2tp subnet in the concerned firewall policy also in phase 2 selectors in the source address you need to have l2tp client subnet range in one firewall and in other firewall remote selectors you need to have l2tp client subnet range.
Please check and keep us posted
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.