- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Microsoft LT2P/IPsec VPN with Loopback Interface?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Microsoft LT2P/IPsec VPN with Loopback Interface?
Hello, I was wondering if anyone has had any experience with setting up a dial-up Microsoft VPN (L2TP/IPsec) VPN with a loopback interface instead of specifying a physical WAN interface? My configuration: L2TP:config vpn l2tpset eip 192.168.55.250set sip 192.168.55.1set status enableset usrgrp "Test" IPsec Phase 1:config vpn ipsec phase1edit "winvpn"set type dynamicset interface "lo_vpn"set peertype anyset proposal aes256-md5 3des-sha1 aes192-sha1set dhgrp 2set psksecret ENC xxxxxxx IPsec Phase 2:config vpn ipsec phase2edit "winvpn"set phase1name "winvpn"set proposal aes256-md5 3des-sha1 aes192-sha1set pfs disableset encapsulation transport-modeset keylifeseconds 3600nextend Security and IPsec policy:edit 25 (To allow L2TP, ICMP, and IPsec to hit the loopback interface)set name "lo_winvpn"set srcintf "wan1"set dstintf "lo_vpn"set srcaddr "all"set dstaddr "lo_winvpn"set action acceptset schedule "always"set service "AH" "ALL_ICMP" "ESP" "GRE" "IKE" "L2TP"nextedit 26set name "ipsec_winvpn"set srcintf "internal"set dstintf "lo_vpn"set srcaddr "all"set dstaddr "all"set action ipsecset schedule "always"set service "ALL"set inbound enableset vpntunnel "winvpn"nextedit 27set name "winvpn"set srcintf "lo_vpn"set dstintf "internal"set srcaddr "windowsvpn_range"set dstaddr "all"set action acceptset schedule "always"set service "ALL"next I followed the following guide:https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/L2TP_and_IPsec/Confi...The public IP address associated with the loopback interface is a routable IP address which responds to ICMP.Performing a tcpdump on the firewall I can see communication between the client and server over ports 4500, 500, and 1701 although the connection does not establish. Performing the following debug commands also doesn't provide any output when I try to establish the VPN:diagnose debug application ike -1diagnose debug application l2tp -1diagnose debug enable I have also enabled IPsec services on Windows and the error I receive on Windows is "Error 809" which indicates the remote server isn't responding? Any help would be appreciated :)
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi buddy, sorry for bumping the thread. But facing kind of same issue, did you get any way out as of now?
Regards,
Hahu Smith
Regards,
Hahu Smith
Regards,
Hahu Smith
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hahu,
Couldn't get it working utilising a loopback IP address. Packet captures on the FortiGate showed communication between the remote client and loopback address going back and forth over the relevant ports but never established successfully.
Due to constraints on time and needing to move with other projects I ended up adding a secondary IP address to the customer's WAN interface and binding that interface/IP to the dial-up VPN using the "Secondary address option" which connected instantly.
I've set up numerous IPsec VPNs using loopback IP addresses and have worked straight away, although the L2TP over IPsec just wouldn't work...hopefully some Fortinet Guru on these forums can shed some light ;)
I wouldn't mind trying to assist you with trying to get it fixed though if needed. Feel free to drop your configs on the post or feel free to DM me.
Thanks,
Pàdraig
Related Posts
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.