Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
slemke
New Contributor II

Created on ‎08-12-2016 03:24 AM

Site 2 Site VPN Layer 2 (L2TP?)

Hello,

 

i have been asked for a Layer2 Site to Site VPN (I would not like to discuss an alternative - at this moment - because this is the technial requirement of the customer..).

 

I have done some research here in the discussions and found several statements that this is not possible at the moment with Fortigate units.

 

My question is: Is this statement still correct or is there a possibility in the newest firmware to do this? I am wondering about the L2TP over IPSec Support (i.e. for Android Dialin VPN). Is there a way to use this between two Fortigate units or do I miss something?

 

Thanks, Sebastian

 

9527
0 Kudos
4 REPLIES 4
ede_pfau
SuperUser
SuperUser

Created on ‎08-12-2016 04:23 AM

hi,

 

there's been a post recently about L2TP server functionality in FortiOS: https://forum.fortinet.com/tm.aspx?m=139960

It is possible but the L2TP client feature is only available on the desktop models (< 100D).

I haven't tried it but with one FGT as L2TP server and the other as L2TP client it should meet your requirements.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2487
0 Kudos
slemke
New Contributor II
In response to ede_pfau

Created on ‎08-12-2016 07:03 AM

Hello, thanks for pointing the direction...!! Is there anybody here in the forum who has tested such a setup? If not I plan to do this (FG100D & 60D available), but I am a bit out of time actually ;-) Thanks, Sebastian

2487
0 Kudos
slemke
New Contributor II
In response to ede_pfau

Created on ‎08-12-2016 07:06 AM

Hi,

 

just a quick test on a new 50E:

FGT50Exxxx # config system interface FGT50Exxxx (interface) # edit wan2 FGT50Exxxx (wan2) # set l2tp-client enable FGT50Exxxx (wan2) # ab FGT50Exxxx # config vpn l2tp FGT50Exxxx (l2tp) # set status enable FGT50Exxxx (l2tp) # ab FGT50Exxxx # Seems it´s possible to build with two 50E boxes (no errors for client & server above) - that´s absolutly fine for me.

 

Sebastian

 

2487
0 Kudos
Carl_Wallmark
Valued Contributor
In response to ede_pfau

Created on ‎08-14-2016 12:46 AM

Hi,

 

Another possibility is to use the VXLAN feature in FortiOS 5.4, with that you can create a L2 tunnel between two sites.

 

http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614

 

however, 5.4 is not considered stable at the moment.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
2487
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.