Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Beumont2
New Contributor

How to route L2TP clients to another VPN

Hello,

I have the following setup:

FG 60F at our HQ - LAN IP: 192.168.205.0/24

FG 60F at our DC - LAN IP: 192.168.5.0/24

L2TP clients connecting with Dial-up connection and getting IP from subnet 192.168.199.0/24

HQ and DC are connected via site-to-site ipsec VPN and both subnets x.x.205.0/24 and x.x.5.0/24 can communicate.

 

When I connect to HQ as a L2TP dialup user I can access the network on HQ x.x.205.0/24 but I cannot connect to DC. I add a policy on HQ which allows traffic from L2TP-VPN to DC but it is not working.

 

Can anyone please help set this up so a dialup user will only have to connect to HQ to gain access also to DC?

1 Solution
akristof
Staff
Staff

Hello,

 

Thank you for your question. Based on the information, I would verify couple of things:

- If you are using specific selectors on ipsec, you might need to create new selector for 192.168.199.0/24 subnet

- If you are using any/any, verify, that the DC firewall knows how to route traffic 192.168.199.0/24 back to HQ firewall

- Verify that the subnet 192.168.199.0/24 is allowed in all firewall policies on both firewalls

If after this it is still not working, run debug flow on both devices at the same time and see where the problem is. If it is on HQ or DC firewall and based on that you can follow up.

Adrian

View solution in original post

5 REPLIES 5
akristof
Staff
Staff

Hello,

 

Thank you for your question. Based on the information, I would verify couple of things:

- If you are using specific selectors on ipsec, you might need to create new selector for 192.168.199.0/24 subnet

- If you are using any/any, verify, that the DC firewall knows how to route traffic 192.168.199.0/24 back to HQ firewall

- Verify that the subnet 192.168.199.0/24 is allowed in all firewall policies on both firewalls

If after this it is still not working, run debug flow on both devices at the same time and see where the problem is. If it is on HQ or DC firewall and based on that you can follow up.

Adrian
Beumont2

Thank you for your help!

I figured out my problem. I was missing a couple of things:

- did not have the static route back from DC to HQ with the L2TP subnet x.x.199.0/24

- did not have the phase2 selectors for the L2TP subnet

fobtron

Hello Beumont2.

Could you send me example of your routing and rules? Without IP of course :). I'm struggling with te same problem and still without success.

Nikkejoh

Hello, I also face the same challenge and have trouble solving this. 

ede_pfau

To clarify and for others on a similar quest:

As a 3rd requirement, the client needs to have to route to the distant network 192.168.5.0/24 via the gateway 192.168.205.x. Just like it has to know that the .205 network is behind the L2TP tunnel (via static route).

As you have not mentioned this yet, I assume that the client has its default route pointing to HQ. That would suffice as well.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors