Thanks Emnoc. For the first test, are you saying to make a Virtual IP with just the server address, then setup a Policy that all Services go to it? (I' m not familiar with 1-2-1 VUIP, sorry!) Understood on ESP port forwarding; I had added it as a service to forward within the Policy. I have not tried diag debug flow yet. I' d love to get it actually working using your step 1 first, then try restricting and run this to see what' s going wrong. Neil

emnoc, I was able to get to the point where my internal Mac OS X VPN server is getting the IKE requests properly forwarded through the Fortigate. However, the VPN server cannot reply to the connecting VPN client (it constantly logs Phase 1 Retransmit messages until it times out). Using ' diag debug flow' , I was able to see that the IKE response is attempting to be sent to the wan1 IP address instead of the IP address of the actual client. So vpnServer:500->wanIPaddress:500 was in the debug console and I would expect vpnServer:500->vpnClient:500. I have disabled everything on the Firewall at this point, except for the two following rules: 1 internal wan1 all all always ALL Accept 2 wan1 internal all MMSall always ALL Accept and MMSall is a Virtual IP setup as: External Interface wan1 Type Static NAT <unchecked> Source Address Filter External IP Address/Range 0.0.0.0 - 0.0.0.0 Mapped IP Address/Range ipOfVPNServer - ipOfVPNServer <unchecked> Port Forwarding The only other settings I' ve played with are making the policy rule 2 act as a NAT, as a NAT with static port, and as a NAT with an IP pool equal to my VPN server IP pool (no difference between these); and enabling/disabling the ' Auto-IPSec' on both the wan and internal Interfaces. Any other suggestions to get to a solution? Neil

One more bit of info: LAN IPs: 192.168.1.100 - 192.168.1.230 VPN IPs: 192.168.1.90 - 192.168.1.94 External LAN IPs: 10.0.1.100 - 10.0.1.200 as well as some others (not overlapping anything 192.168.*.*)

Try making the VPN IPs a unique subnet from the LAN. You can' t route to the same network across a router or firewall... Also, I would change the LAN IP subnet to something other than the most popular default private network out there.

I' ve not had a problem with this IP setup in the past with other routers. As long as the IPs for the LAN and the VPN don' t overlap, it should work correctly. Is this something specific to Fortigates? I agree on using a more unpopular subnet, but I' m working with a network I didn' t setup initially. I should be able to change this soon, but in the meantime I' m making sure my testing external LANs aren' t the same subnet. Thanks, Neil

Well, looks like this was a Mavericks Server L2TP VPN bug! [link=]http://iphone.appleinsider.com/articles/13/12/19/apple_fixes_vpn_connection_issue_with_mavericks_server_update_.html[/link] I installed the update, and am now able to VPN in just fine. Now to fix the DNS issues, but direct IP connections are working great! Thanks for your help everyone. Neil