Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexDayan
New Contributor

L2TP Connection to ISP

Hi. Please help me to configure Fortigate 40C 4.0 MR3 for connect to ISP with L2TP. My local ISP support only L2TP ,I need share this connection between 10 computers. Thanks for help.
AD
AD
8 REPLIES 8
ede_pfau
SuperUser
SuperUser

hi, and welcome to the forums. FortiOS only supports L2TP as a server, not as a client. That is, if your ISP dials in it might work, if you (as a client) have to dial in to the ISP, no way using the FGT. Furthermore, the only encryption available is MPPE and not IPsec. You can look up the details in the FortiOS Handbook for v4.3. You might set up a server running MS Windows and have the FGT just pass the traffic to the ISP but I wouldn' t recommend that.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Carl_Wallmark
Valued Contributor

Hi, Actually you can setup L2TP-client on a smaller fortigate (including a 40C). " Enable or disable this interface as a Layer 2 Tunneling Protocol (L2TP) client. Enabling makes config l2tp-client-settings visible. You may need to enable l2forward on this interface. This is available only on FortiGate 50 series, 60 series, and 100A. The interface can not be part of an aggregate interface, and the FortiGate unit can not be in Transparent mode, or HA mode. If l2tp-client is enabled on an interface, the FortiGate unit will not enter HA mode until the L2TP client is disabled."

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ede_pfau
SuperUser
SuperUser

I' m learning new things every day...thanks. Where is the quote from, and where do you enable this setting (in CLI)?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Carl_Wallmark
Valued Contributor

This comes from the CLI reference, and yes its CLI only.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ede_pfau
SuperUser
SuperUser

OK, found it in the " Interface" section:
 config system interface
    edit <interface_name>
       set l2tp-client {enable | disable}
 ...
       set l2forward {enable | disable}
and then:
 config l2tp-client-settings
 auth-type {auto | chap |
 mschapv1 | mschapv2 |
 pap}
 Select the type of authorization used with this client:
 auto — automatically choose type of authorization.
 chap — use Challenge-Handshake Authentication Protocol.
 mschapv1 — use Microsoft version of CHAP version 1.
 mschapv2 — use Microsoft version of CHAP version 2.
 pap — use Password Authentication Protocol.
 def.: auto
 
 defaultgw {enable | disable}
 Enable to use the default gateway. 
 def.: disable
 
 distance <admin_distance>
 Enter the administration distance of learned routes.
 def.: 2
 
 mtu <integer>
 Enter the Maximum Transmission Unit (MTU) for L2TP.
 def.: 1460
 
 password <password>
 Enter the password for L2TP.
 def.: n/a
 
 peer-host <ipv4_addr>
 Enter the IP address of the L2TP host.
 def.:  n/a
 
 peer-mask <netmask>
 Enter the netmask used to connect to L2TP peers connected to this interface.
 def.: 255.255.255.255
 
 peer-port <port_num>
 Enter the port used to connect to L2TP peers on this interface.
 def.: 1701
 
 priority <integer>
 Enter the priority of routes learned through L2TP. This will be used to resolve any ties in the routing table.
 def.: 0
 
 user <string>
 Enter the L2TP user name used to connect.
 def.: n/a
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Here' s a cfg; config system interface edit " wan2" set vdom " root" set mode dhcp set l2forward enable set ddns enable set type physical set alias " WANuplink01" set l2tp-client enable set defaultgw enable set macaddr 00:16:cb:ad:fa:51 config l2tp-client-settings set auth-type pap set mtu 1410 set password ENC PEKdB2hpJ3d+kBHAdYhLt2aXv4zeaExH9tdbQ27BhwhM8vSKixegcI07sEsiPPzNr5OQvE3JqNfED/ayidxjVRUtTQSFxKbK7OA08Da/Dj07ngb8 set peer-host " 33.33.33.33" set user " networkyt98" end next end things to be aware of ; > the l2tp secondary MTU needs to be reduce >you might want to apply mss adjustments for any tcp traffic at the firewall policy level > validate your provider authentication type > authentication auto has been flaky sometimes, so if your provider supports pap/chap or whatever, hardcode it Here' s a fwpolicy showing how I adjust tcp mss config firewall policy edit 15 set srcintf " internal" set dstintf " wan2" set srcaddr " INSIDELAN01" set dstaddr " all" set schedule " always" set service " TCP" set tcp-mss-sender 1360 set tcp-mss-receiver 1360 set comments " reduction in MSS due to l2tp overhead" next end So you will need to monitor and possible tcpdump the SYN or SYN-ACK packets to validate the mss value set or received across the interface tcpudmp -nnn -vvvv -i eth0 ' tcp[13]==18' I use the above cfgs at doctors offices that I have a SOHO FWF60B located at. I think the FGT100 also supports l2tp-client iirc. PMTU should not be trusted and your YMMV.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
RD1
New Contributor

1

RD1
New Contributor

Hi gurus!

I need to connect my FTG 80E to ISP. My ISP is using L2TP. I have searched through the Internet and this is the only thread I found on this forum!

Since I am new in firewalls. Could you please clarify for me how to configure my WAN interface as l2tp client...

Here is the settings I need to configure in CLI. In the answer above it is described what these settings mean.

Some of them are not clear to me. Could you please clarify for dummy.  

user: it is clear

password: clear also

peer-host: not clear… Is it an IP assigned by my ISP to my wan interface? BTW I am  using static IP by my ISP tied to my login

peer-mask:

peer-port: clear

auth-type: clear

mtu: clear

distance: clear

priority: clear

defaultgw: not clear, what should be here?

ip: not clear also

 

Where is IP address of the ISP server for authorization should be typed in?

Could you please help me with settings

Thank you

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors