Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
m0jj0
New Contributor

Android Native L2TP/IPSec

I've been unsuccessfully trying to get a working client VPN configuration using the Android native IPSec client.  I have a device that won't run the Android Forticlient hence this requirement, otherwise I'd use that as that worked fine.

 

The firewall is running 5.2.7 and I've set up the firewall side using the wizard.  I manually added firewall rules to allow all traffic between the client pool and the trust network.  The issue I'm having is when I make the connection, the firewall side shows the tunnel successfully established and running but the Android side shows it still connecting and after a while says unsuccessful.  I've tried this on three different Android devices and all show the same issue.

 

I did manage to get it working using L2TP with a transport mode connection and it all looked good, but a day later I noticed all of my site-to-site tunnels were down and wouldn't come back up until I deleted the client-VPN configuration so I guess it was conflicting and overriding my peer gateway connections somehow.  The preference would be to have the L2TP/IPSec connection working properly, but I just don't know what I'm missing.

 

Thanks,

Mark

2 REPLIES 2
m0jj0
New Contributor

For anyone that stumbles upon this post with a similar problem, I managed to get it working with an Android native L2TP/IPSec connection.  Had to do the following:

 

I mostly followed this guide - http://docs.fortinet.com/uploaded/files/1687/configuring-a-FortiGate-unit-as-an-L2TP-IPsec-server.pd...- with the following exceptions:

1) With the IPSec security policy, instead of using "all" for internal and remote subnets, I specified the internal subnet and the dialup range respectively.  This seemed to prevent all of my site-to-site tunnels from breaking.

2) Using an on-demand VPN profile on the Android, I could specify the subnet I wanted to tunnel to and everything else would just go direct to the Internet from the mobile, effectively having a split-tunnel situation configured from the client side.  However, using this same profile with the "Always-On" setting this doesn't seem to work.  It looks like if I have the subnet in the profile, then anything not specified in that subnet just goes nowhere.  To get around this, I removed the subnet so that everything is being tunneled and configured a wan1 to wan1 policy that allows the dialup pool to get to everything and enabled NAT.  Now I'm able to get to the internal network and the Internet (albeit via the firewall).  This was the only way I was able to get this to work.

 

Regards,

Mark J.

Sunil_Panchal_NSE7

dear all,

 

  i am facing the same problem , i have fortigate 140D with 5.4 os. i create L2TP/IPSEC connection with forticlient, it is  working with some ISP well mostly Mobile ISP (4G) , but with some it is not working (Cable ISP), when i disable DPD in forticlient then only its work , so can u tell me why this problem is problem from device or ISP .

we have one branch with 100D ,i want to create site to  site VPN between 100D and 140D i use wizard to create VPN but from one side(140D ) it is showing up and successfull but from another side(100D)phase 1 failure or negotiation.

please help me out with this problems.

 

 

 

Labels
Top Kudoed Authors