Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Multiple L2TP/IPsec VPN Servers in the same WAN

Hello team!!!

 

I hope you are fine!!

We have here, 2 kind of VPN users trying to access different resources on different VLANs (Behind the same Fortigate), we need, for example, the following:

* User Group 1: Can access LAN but not DMZ

* User Group 2: Can access DMZ but not LAN

 

We have 3 WANs, the idea is create one VPN for each WAN.

 

We choose L2TP/IPsec VPN, because this dont require to install FortiClient in each Client.  All the test were done with L2TP/IPsec VPN (Using the option "Windows Native" in the wizard)

What we tried in first place, is to create 2 VPNs for each WAN, one for each user group (6 VPNs), but this seems that the Fortigate, only is listenning for one VPN in each WAN.

I deleted all the VPNs and references (Including addresses)

I created again the VPNs for each WAN, just for "User Group 1"

I could connect and access the network through the VPN, everything was fine

I added the 3 VPNs for "User Group 2" (1 for each WAN)

I coud NOT connect, wrong credentials

I added the same user to "User Group 2" and I could connect (Even removing the username from "User Group 1")

When I see the Fortigate, the user was connected to the VPN for "User Group 1", but it needed credentials inside "User Group 2".

 

So, I am thinking another aproach

I think maybe I could set static IPs for Clients in "User Group 2", and manage permissions in Firewall Policies to choose to which LAN can access each IP range.  But I dont like to set static IPs

Do you have a better idea?

 

Thanks in advance.

Regards,

Damián

Damián Lozano
Damián Lozano
16 REPLIES 16
damianhlozano

Ahh, ok, I will test this.

Thanks a lot!

Damián Lozano
Damián Lozano
damianhlozano

Hello again!!

I have tried with FortiClient VPNs, but when I add a user group in the policy, the VPN stop working (Again, the traffic does not match any policy)

So, to test, I wanted to follow what @pminarik said, create an IKEv2 VPN, but I dont know how to create this.  I think I should use "Custom" VPN, but this has a lot of options and idk which settings should I choose to this VPN to work on Windows and most OS native clients.

Do you have any cookbook or any other suggestion?

Damián Lozano
Damián Lozano
pminarik

Bit of a late reply, but you can try using this doc as a baseline: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Windows-IKEv2-native-VPN-with-machine-cert...

 

Use this, and then tweak as needed/desired. Make sure to run ike debug when testing to catch any configuration mismatches.

[ corrections always welcome ]
damianhlozano

Thanks pminarik!!

 

Damián Lozano
Damián Lozano
sw2090
SuperUser
SuperUser

@damian 

 

not one peer but one peer-id! On a dial up this means every peer has to send that unique peer id so the FGT can determine the correct ipsec. That does NOT limit your ipsec to just one peer!

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
damianhlozano

Thanks!

Is it possible to configure peer-ids on native Windows VPN clients?

Is this just for forticlient clients?

So, in this case, I need all users for VPN1 to use peer-id 1, and all users for VPN2 to use peer-id 2, right?

 

Regards,

Damián

Damián Lozano
Damián Lozano
sw2090
SuperUser
SuperUser

the  most Windows IPSec Clients I know support setting a peer id (in this case local id).

And yes that's right.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors