FortiGate L2TP/IPsec with RADIUS authentication and Framed-IP-Address

iwasa · ‎05-14-2023

Hi,

I am trying to setup L2TP/IPsec with RADIUS authentication.

I could connect to the server by using Windows native VPN client.

However, "Framed-IP-Address" defined in RADIUS was not assigned to the client,

the first usable IP address (10.10.10.2) between l2tp's "sip" and "eip" was assigned instead.

It seems possible with SSL-VPN, but not possible in L2TP/IPsec (using Windows native VPN client)?

Here is the relevant configuration.

config vpn ipsec phase1-interface
    edit "L2tpoIPsec"
        set type dynamic
        set interface "wan"
        set peertype any
        set net-device disable
        set proposal aes256-sha1 aes256-sha256
        set comments "VPN: L2tpoIPsec (Created by VPN wizard)"
        set dhgrp 2 14
        set wizard-type dialup-windows
        set psksecret "...."
    next
end
config vpn ipsec phase2-interface
    edit "L2tpoIPsec"
        set phase1name "L2tpoIPsec"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
        set comments "VPN: L2tpoIPsec (Created by VPN wizard)"
        set keylifeseconds 3600
    next
end
config vpn l2tp
    set status enable
    set eip 10.10.10.100
    set sip 10.10.10.1
    set usrgrp "a-radius-group"
end

FortiGate 40-F
Firmware: v7.0.11 build0489

aahmadzada · ‎05-15-2023

Hi,

With the current design of FortiOS L2tp dialup VPN is able to assign IP addresses only and only from the configured IP address range.

Ahmad

View solution in original post

aahmadzada · ‎05-15-2023

Hi,

With the current design of FortiOS L2tp dialup VPN is able to assign IP addresses only and only from the configured IP address range.

Ahmad

iwasa · ‎05-15-2023

Thank you for the clarification.

FortiGate L2TP/IPsec with RADIUS authentication and Framed-IP-Address

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website