Fortigate L2TP IPsec vpn - Windows native
L2tp IPsec vpn configuration using GUI -
Below are the following steps what I have configured in Fortigate Firewall for L2tp IPsec vpn.
Step1 - Fistly created local user let's suppose - test, password test123.
Step2 - created one group the name of group vpn_group and added that local user in vpn_group.
Step3 - Now I went to VPN section and under the vpn section, selected IPsec Wizard.
Name - L2tp_IPsecvpn
template type - Remote access vpn
Remote device type - native then next windows native
Step4 - Authentication
preshared key - test@123
usergroup - vpn_group
Step5 - In Policy & Routing
Local interface - Port2 which is connected to LAN switch
Local address - 50.1.2.0/24
Client address range - 1.1.1.100 - 1.1.1.110
subnetmask - 255.255.255.255 (leave default)
then click ok.
Now Policy configuration -
Incoming interface - tunnel interface
Outgoing interface - port2 (which is connected to LAN switch)
source address - 1.1.1.100 - 1.1.1.110 (vpn range address)
outgoing address - local address ( 50.1.2.0/24)
internet services - all
Schedule -always
Service - all
action - Ipsec
NAT disabled
Applied security polices - IPS,APP,Antivirus
log enable
ok.
In windows machine -
Windows, click on Start >> Settings >> Network & Internet >> VPN >> Add a VPN connection.
server address - 192.168.77.2 (WAN interface IP of the fortigate firewall - port1)
vpn type - preshared key - test@123
username & password - test, test123
Blow is the network digram for example -
Having configured these things, My windows machine is not able to connecte through this L2tp Ipsec vpn.
Can you anybody have a look this configuration throughly and correct If in case of there are any missing.
thank you for your help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 12-21-2022 02:12 PM
Hello
Can you try following and croschecking with this really good step by step setup guide and see if something is missing from your end
And to further troubleshoot after following the above config guide please follow and share debugs according to :
Thant's great but there is no any policy configured as per the screenshots.
Can you mention here what would be the policy.
Waiting for your reply....thank you in advance
Hi,
I would like to tell you, I had gone through your link what you had shared, but L2TP IPsec tunnel is showing down.
and here are the policy -
Can you please find the error and let me know why tunnel is showing down.
Created on 12-24-2022 12:25 AM Edited on 12-24-2022 12:26 AM
Hi,
Have you tried connecting?
Also, to find the error you should do some debug on your end and see why it isn't working, I can only guess and my guessing goes so far when there are no logs provided of the issue.
Here is a guide to start from, while trying to connect and it isnt working.
Thant's great but there is no any policy configured as per the screenshots.
Can you mention here what would be the policy.
Hi Umesh,
As per attached screenshot for firewall policy noticed that you have configured the L2tp_VPN interface for accessing local subnet in firewall policy name : "vpn_L2tp_vpn_remote".
If its related to local private traffic , then please try changing src interface as below.
src interface : "l2t.root"
And still issue persist, share below command logs.
show firewall policy
show vpn l2tp
show router static | grep -f l2tp
show vpn ipsec phase1-interface <phase1name>
show vpn ipsec phase2-interface <phase2name>
Thanks,
Mayur Padma
Hello I have same problem ( I can not conect by IPsec on a native conection in windows)
I created my conection with wizard and my command logs
show firewall policy
FWF-c1 # show firewall policy
config firewall policy
edit 3
set status disable
set name "internet monitorizada"
set uuid 7e1835ac-3923-51ed-76eb-af72c1ba7b33
set srcintf "internal"
set dstintf "masmovil"
set action accept
set srcaddr "monitorizados"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "custom-deep-inspection"
set videofilter-profile "videos_infantiles"
set logtraffic all
set nat enable
next
edit 10
set name "dentro_horario_TV"
set uuid cb5aaa7a-49cb-51ee-7473-b021990eba8f
set srcintf "internal"
set dstintf "masmovil"
set action accept
set srcaddr "monitorizados"
set dstaddr "all"
set schedule "tiempo_TV"
set service "ALL"
set nat enable
next
edit 11
set name "fuera_horario_TV"
set uuid 4533eefa-49cd-51ee-799d-3e2576aa93f3
set srcintf "internal"
set dstintf "masmovil"
set srcaddr "monitorizados"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 1
set name "internet"
set uuid 9e277430-3bdf-51ec-cbbe-6efca33f1fdc
set srcintf "internal"
set dstintf "masmovil"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
edit 2
set status disable
set name "DNS server"
set uuid 1ec72de8-3bf8-51ec-6ebe-b35ea3ed84b6
set srcintf "masmovil"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "DNSserver" "DNSserver-udp"
set schedule "always"
set service "DNS"
set logtraffic all
set nat enable
next
edit 4
set name "vpn_s34-Alboraya_local_0"
set uuid 527ad1ca-7cbc-51ed-183f-3133c3b2bd76
set srcintf "internal"
set dstintf "s34-Alboraya"
set action accept
set srcaddr "s34-Alboraya_local"
set dstaddr "s34-Alboraya_remote"
set schedule "always"
set service "ALL"
set comments "VPN: s34-Alboraya (Created by VPN wizard)"
next
edit 5
set name "vpn_s34-Alboraya_remote_0"
set uuid 5305c000-7cbc-51ed-9310-84eb6144ba85
set srcintf "s34-Alboraya"
set dstintf "internal"
set action accept
set srcaddr "s34-Alboraya_remote"
set dstaddr "s34-Alboraya_local"
set schedule "always"
set service "ALL"
set comments "VPN: s34-Alboraya (Created by VPN wizard)"
next
edit 6
set name "SSL-VPN tunnel"
set uuid 607e9b00-8f61-51ed-6f7e-5a06124b9c1b
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "s34-Alboraya_local_subnet_1" "s34-Alboraya_remote_subnet_1" "s34-Alboraya_remote_subnet_2" "s34-Alboraya_remote_subnet_3"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set nat enable
set groups "puebla"
next
edit 9
set name "webserver"
set uuid b982a470-916a-51ed-78b7-9cfae0d17cfa
set srcintf "masmovil"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "http"
set schedule "always"
set service "HTTP"
set nat enable
next
edit 12
set name "vpn_puebla-L2TP_l2tp"
set uuid 7f48f4a6-4c74-51ee-69e6-0efccaa380b9
set srcintf "puebla-L2TP"
set dstintf "masmovil"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "L2TP"
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
next
edit 13
set name "vpn_puebla-L2TP_remote_0"
set uuid 7f57632e-4c74-51ee-28c8-1e64175dd3b8
set srcintf "l2t.root"
set dstintf "internal"
set action accept
set srcaddr "puebla-L2TP_range"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
next
end
show vpn l2tp
FWF-c1 # show vpn l2tp
config vpn l2tp
set status enable
set eip 192.168.55.110
set sip 192.168.55.100
set usrgrp "L2TP-users"
end
show router static | grep -f l2tp
-- none displayed --
show vpn ipsec phase1-interface <phase1name>
FWF-c1 # show vpn l2tp
config vpn l2tp
set status enable
set eip 192.168.55.110
set sip 192.168.55.100
set usrgrp "L2TP-users"
end
FWF-c1 # show router static | grep -f l2tp
FWF-c1 # show vpn ipsec phase1-interface puebla-L2TP
config vpn ipsec phase1-interface
edit "puebla-L2TP"
set type dynamic
set interface "masmovil"
set peertype any
set net-device disable
set proposal aes256-md5 3des-sha1 aes192-sha1
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
set dhgrp 2
set wizard-type dialup-windows
set psksecret ENC KWUqAa1eTqKnS2YLPM+znkO6nhYetodHIDrIH2YzXeoInfYySXb6kJ+IGvxu5wEB366cqaDNmaBqWJIbgkgWKGDgDSs0KJ6W7g48uMzZSD2DcA/LL99sakhMI18RraIzpdjdeG0
Zbf+Fn3kBlotHHj3kQP6IXaDz2P8ocYUEO2My3t5Ehv2VE1ANJeQ9t05u2149uQ==
next
end
show vpn ipsec phase2-interface <phase2name>
FWF-c1 # show vpn ipsec phase2-interface puebla-L2TP
config vpn ipsec phase2-interface
edit "puebla-L2TP"
set phase1name "puebla-L2TP"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
set keylifeseconds 3600
next
end
Thank you in advance.
Hi,
In step 4 the incoming interface is the one that the user will connect to, in your case port1.
Can you confirm that you did this ?
Also, does your FortiGate have a route back to your client through port1 ?
Hi Umesh, did you ever get to the bottom of this? Having the same issue
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.