Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Access site behind Site-to-Site tunnel via. L2TP Remote Access (Windows Native)

We recently started testing replacing our current firewall (Endian) with a Fortigate as a our HQ main firewall.


We successfully set-up a Site-to-Site IPSEC tunnel to one of our branches (branch still using an Endian firewall) on the Fortigate.


Afterwards we set-up a L2TP Remote Access tunnel (Windows Native) to the Fortigate.


Both the Site-to-Site and L2TP tunnel work perfectly.


But, when connecting to the HQ Fortigate via. L2TP we cannot reach the branch which is connected via site-to-site.


We haven't yet found a working combination of firewall policies and static routes to allow the L2TP tunnel client to access the firewall behind the site-to-site.


How would we best go about this and what might we have missed?



You should also check if you lt2p subnet is allowed on the phase2 selectors of the site to site tunnel.
It also might be a policy or routing issue.
You can collect a debug flow and see why the traffic is not processed.
You can collect the output of the below commands while generating traffic from an l2tp client to the branch:


diag debug reset
diag debug flow filter addr x.x.x.x y.y.y.y and
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

Where x.x.x.x is the source IP address and y.y.y.y the destination IP address

To stop the debug, type:

diag debug disable
diag debug reset


Best Regards,



I hope that you at least use L2TP over IPSec and not pure old L2TP with no encryption at all.


However, instead of fixing dead L2TP I would humbly suggest to reconsider the VPN schema and drop down L2TP use, completely. It's 22 years old protocol with zero protection!


All modern OS are able somehow directly, or with help of supplicants like FortiClient, to use IPSec or at least SSL VPN. Some even allows you to use IPSec with IKEv2. Even on mobile platforms like Android or Apple iOS.


So instead of unprotected prehistoric L2TP I'd suggest to use IPSec completely.

As hub (on HQ FortiGate) &spoke (on branch offices) + dialup (for mobile road warriors).


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Hi Team,


You need to have firewall policy with source as l2tp subnet in the concerned firewall policy also in phase 2 selectors in the source address you need to have l2tp client subnet range in one firewall and in other firewall remote selectors you need to have l2tp client subnet range.

Please check and keep us posted


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors