Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

Created on ‎03-18-2015 06:38 AM

More L2TP/IPSec Tunnels Using VDOMS

Hello,

I have a question about the L2TP over IPSec. Only one L2TP can be configured on the FortiGate but I need two - one for the Admins and one for the Users.

As only one tunnel is doable under the VDOM I am wondering whether another L2TP tunnel over IPSec can be set. See the attached image I wanted to achieve.

 

 

I have a working L2TP/IPSec tunnel from the INET interface to the LAN1 interface under the root VDOM. I used another free public IP .179 and set a DNAT to the 10.9.1.2 IP in the vdom1.

Under the vdom1 I set up another L2TP tunnel and another IPSec tunnel. The IPSec tunnel is working, phase1 and phase2 are OK. The problem is with the L2TP tunnel. It is not going up.

 

I used the following debug commands to see where should be the problem:

# diagnose debug disable

# diagnose debug reset

# diagnose debug app l2tp -1 # diagnose debug app ppp -1 # diagnose debug app pppoe -1 # diagnose debug enable

When I connect to the root L2TP I can see a lot of output in the CLI - It is OK. When I connect to the vdom1 L2TP there is no output in the CLI. I tried the CLI commands under the root and also under the vdom1 VDOM and still no output.

 

Is it doable under the VDOMs? Does anyone has a clue where the problem is?

Thank you.

AtiT

AtiT
Preview file
18 KB
4107
0 Kudos
1 REPLY 1
emnoc
Esteemed Contributor III

Created on ‎03-19-2015 01:29 PM

I don't think that's possible on what you want, but can't you control the  user access via the  firewall groups and achieve the same thing?

 

You craft policies for user and admin with allowance based on the user group the user is allowed in?

 

Alternatively, you could create multiple phase1/2 combos and use dhcp over ipsec with the encapsulation mode of transport

 

config vpn ipsec phase2

edit "TIPO1"         set phase1name "WARRIOR1"         set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1         set pfs disable         set keepalive enable         set encapsulation transport-mode         set l2tp enable         set dhcp-ipsec enable     next  edit "TIPO2"         set phase1name "WARRIOR2"         set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1         set pfs disable         set keepalive enable         set encapsulation transport-mode         set l2tp enable         set dhcp-ipsec enable     next and

 

 

edit "TIPO1"         set type dynamic         set interface "wan1"         set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1         set dpd disable         set dhgrp 1 5 14         set xauthtype auto         set authusrgrp "GROUP11"         set psksecret mykeyherefor#1     next

edit "TIPO2"         set type dynamic         set interface "wan1"         set proposal aes128-sha1 aes128-md5 aes192-md5 aes192-sha1 aes256-sha1         set dpd disable         set dhgrp 1 5 14         set xauthtype auto         set authusrgrp "GROUP12"         set psksecret mykeyherefor#2     next

And so on. Give that a try

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
926
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.