Hello,
I have a question about the L2TP over IPSec. Only one L2TP can be configured on the FortiGate but I need two - one for the Admins and one for the Users.
As only one tunnel is doable under the VDOM I am wondering whether another L2TP tunnel over IPSec can be set. See the attached image I wanted to achieve.
I have a working L2TP/IPSec tunnel from the INET interface to the LAN1 interface under the root VDOM. I used another free public IP .179 and set a DNAT to the 10.9.1.2 IP in the vdom1.
Under the vdom1 I set up another L2TP tunnel and another IPSec tunnel. The IPSec tunnel is working, phase1 and phase2 are OK. The problem is with the L2TP tunnel. It is not going up.
I used the following debug commands to see where should be the problem:
# diagnose debug disable
# diagnose debug reset
# diagnose debug app l2tp -1 # diagnose debug app ppp -1 # diagnose debug app pppoe -1 # diagnose debug enable
When I connect to the root L2TP I can see a lot of output in the CLI - It is OK. When I connect to the vdom1 L2TP there is no output in the CLI. I tried the CLI commands under the root and also under the vdom1 VDOM and still no output.
Is it doable under the VDOMs? Does anyone has a clue where the problem is?
Thank you.
AtiT
I don't think that's possible on what you want, but can't you control the user access via the firewall groups and achieve the same thing?
You craft policies for user and admin with allowance based on the user group the user is allowed in?
Alternatively, you could create multiple phase1/2 combos and use dhcp over ipsec with the encapsulation mode of transport
config vpn ipsec phase2
edit "TIPO1" set phase1name "WARRIOR1" set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1 set pfs disable set keepalive enable set encapsulation transport-mode set l2tp enable set dhcp-ipsec enable next edit "TIPO2" set phase1name "WARRIOR2" set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1 set pfs disable set keepalive enable set encapsulation transport-mode set l2tp enable set dhcp-ipsec enable next and
edit "TIPO1" set type dynamic set interface "wan1" set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1 set dpd disable set dhgrp 1 5 14 set xauthtype auto set authusrgrp "GROUP11" set psksecret mykeyherefor#1 next
edit "TIPO2" set type dynamic set interface "wan1" set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1 set dpd disable set dhgrp 1 5 14 set xauthtype auto set authusrgrp "GROUP12" set psksecret mykeyherefor#2 next
And so on. Give that a try
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.