Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
New Contributor III

Fortigate L2tp IPsec vpn || Windows native || unable to connect ||

Fortigate L2TP IPsec vpn - Windows native

L2tp IPsec vpn configuration using GUI -

Below are the following steps what I have configured in Fortigate Firewall for L2tp IPsec vpn.

Step1 - Fistly created local user let's suppose - test, password test123.
Step2 - created one group the name of group vpn_group and added that local user in vpn_group.
Step3 - Now I went to VPN section and under the vpn section, selected IPsec Wizard.
Name - L2tp_IPsecvpn
template type - Remote access vpn
Remote device type - native then next windows native
Step4 - Authentication
preshared key - test@123
usergroup - vpn_group
Step5 - In Policy & Routing
Local interface - Port2 which is connected to LAN switch
Local address - 50.1.2.0/24
Client address range - 1.1.1.100 - 1.1.1.110
subnetmask - 255.255.255.255 (leave default)

then click ok.

Now Policy configuration -

Incoming interface - tunnel interface
Outgoing interface - port2 (which is connected to LAN switch)
source address - 1.1.1.100 - 1.1.1.110 (vpn range address)
outgoing address - local address ( 50.1.2.0/24)
internet services - all
Schedule -always
Service - all
action - Ipsec
NAT disabled

Applied security polices - IPS,APP,Antivirus

log enable

ok.


In windows machine -

Windows, click on Start >> Settings >> Network & Internet >> VPN >> Add a VPN connection.

server address - 192.168.77.2 (WAN interface IP of the fortigate firewall - port1)
vpn type - preshared key - test@123
username & password - test, test123

 

Blow is the network digram for example - 

l2.JPG

 


Having configured these things, My windows machine is not able to connecte through this L2tp Ipsec vpn.

Can you anybody have a look this configuration throughly and correct If in case of there are any missing.

thank you for your help.

 

 

7 REPLIES 7
ethomollari
Staff
Staff

Hello

 

Can you try following and croschecking with this really good step by step setup guide and see if something is missing from your end

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-connect-Windows-10-client-to-L2TP-V...

 

And to further troubleshoot after following the above config guide please follow and share debugs according to :

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-L2TP-in-IPsec-connectivity-issues/ta...

A problem well-defined is a problem half solved.
Umesh
New Contributor III

Thant's great but there is no any policy configured as per the screenshots.

 

Can you mention here what would be the policy.

 

Waiting for your reply....thank you in advance

Umesh
New Contributor III

Hi, 

I would like to tell you, I had gone through your link what you had shared, but L2TP IPsec tunnel is showing down.

Umesh_0-1671853367478.png

and here are the policy -

 

Umesh_1-1671853409605.png

Can you please find the error and let me know why tunnel is showing down.

funkylicious

Hi,
Have you tried connecting?

Also, to find the error you should do some debug on your end and see why it isn't working, I can only guess and my guessing goes so far when there are no logs provided of the issue.

Here is a guide to start from, while trying to connect and it isnt working.

geek
Umesh
New Contributor III

Thant's great but there is no any policy configured as per the screenshots.

 

Can you mention here what would be the policy.

msanjaypadma

Hi Umesh,

As per attached screenshot for firewall policy noticed that you have configured the L2tp_VPN interface for accessing local subnet in firewall policy name : "vpn_L2tp_vpn_remote". 

If its related to local private traffic , then please try changing src interface  as below.

src interface : "l2t.root"

 

And still issue persist, share below command logs. 

 

show firewall policy

show vpn l2tp

show router static | grep -f l2tp

show vpn ipsec phase1-interface <phase1name>

show vpn ipsec phase2-interface <phase2name>

 

Thanks,

Mayur Padma

Mayur Padma
funkylicious
Contributor III

Hi,

In step 4 the incoming interface is the one that the user will connect to, in your case port1.

Can you confirm that you did this ?

Also, does your FortiGate have a route back to your client through port1 ?

geek