Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎05-18-2022 04:03 AM Edited on ‎05-18-2022 04:13 AM

VPN wizard change remote subnet

Hi,

I have created vpn for native windows client during a setup I chose subnet range for a client, now I need to change that settings but I don't see that setting in tunnel settings, even in CLI I don't see this, where it is applied?

 

 

Router (VPN_ipsec) # get
name                : VPN_ipsec
type                : dynamic
interface           : port24
ip-version          : 4
ike-version         : 1
local-gw            : 0.0.0.0
keylife             : 86400
authmethod          : psk
mode                : main
peertype            : any
net-device          : disable
exchange-interface-ip: disable
mode-cfg            : disable
proposal            : aes256-md5 3des-sha1 aes192-sha1
add-route           : enable
localid             :
localid-type        : auto
negotiate-timeout   : 30
fragmentation       : enable
ip-fragmentation    : post-encapsulation
dpd                 : on-demand
forticlient-enforcement: disable
comments            : VPN:
npu-offload         : enable
dhgrp               : 2
suite-b             : disable
wizard-type         : dialup-windows
xauthtype           : disable
idle-timeout        : disable
ha-sync-esp-seqno   : enable
auto-discovery-sender: disable
auto-discovery-receiver: disable
auto-discovery-forwarder: disable
nattraversal        : enable
rekey               : enable
enforce-unique-id   : disable
fec-egress          : disable
fec-ingress         : disable
default-gw          : 0.0.0.0
default-gw-priority : 0
tunnel-search       : selectors
psksecret           : *
keepalive           : 10
distance            : 15
priority            : 0
dpd-retrycount      : 3
dpd-retryinterval   : 20

 

 

 

 

Labels:
1436
0 Kudos
11 REPLIES 11
vsahu
Staff
Staff

Created on ‎05-18-2022 04:28 AM Edited on ‎05-18-2022 04:29 AM

Hello,

You can change the Address from the below config:
config vpn l2tp
set status enable
set eip 1.1.1.10     ------------------- > 
set sip 1.1.1.1    ------------------ >
set usrgrp "Guest-group"
end

Here 
*eip is End IP.
*sip is Start IP.

Best Regards.

Regards,
Vishal
1168
0 Kudos
Tutek
Contributor

Created on ‎05-18-2022 04:41 AM

ok, thanks

and how could I set other DNS that client receive other that assigned from Fortigate system DNS?

1163
0 Kudos
vsahu
Staff
Staff
In response to Tutek

Created on ‎05-18-2022 04:44 AM

Custom DNS servers are not supported with L2TP tunnels. Users connected via L2TP will always retrieve FortiGate system DNS servers

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Custom-DNS-servers-are-not-supported-with-...

Regards,
Vishal
1161
0 Kudos
Tutek
Contributor

Created on ‎05-18-2022 04:58 AM

why if I do "set enforce-ipsec enable" in l2tp setting, then my l2tp connection is not connecting anymore, I would to be sure that this connection is always encrypted by ipsec tunnel?

1158
0 Kudos
vsahu
Staff
Staff
In response to Tutek

Created on ‎05-18-2022 06:08 AM


config vpn l2tp
set enforce-ipsec enable
end

This will enforce l2tp to use IPSec and you already created it on Fortigate. After making the above changes L2tp will only allow connection using the "L2TP/IPSec with pre-shared key" under the VPN settings on windows.

Make sure Pre-shared key is correct
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/configure-preshared-ke...


Regards,
Vishal
1151
0 Kudos
seshuganesh
Staff
Staff
In response to Tutek

Created on ‎05-19-2022 08:28 AM

Hi Team,

 

Can you test in this way, in foritgate enable "set enforce-ipsec enabled" and then in windows chose ipsec as "l2tp/ipsec" then test if its connecting or not

1094
0 Kudos
Tutek
Contributor

Created on ‎05-18-2022 06:28 AM

Yes, I didn't touch ipsec settings, with set enforce-ipsec disabled, connection is working once set to enabled it does not.

1147
0 Kudos
pminarik
Staff
Staff
In response to Tutek

Created on ‎05-18-2022 06:43 AM Edited on ‎05-18-2022 06:43 AM

That suggests that your client might be using pure, !!! UNENCRYPTED !!!, L2TP. This would be a pretty bad idea, as pure L2TP doesn't really provide any security. ("set enforce-ipsec enable" refuses plain L2TP and mandates its encapsulation in IPsec)

 

You can try confirming that by making a packet capture of the client's traffic.

If it's UDP ports 500/4500, then that's IKE negotiations, meaning they're using IPsec with presumably L2TP inside afterwards. If it's UDP/1701, then that's plaintext L2TP (bad).

[ corrections always welcome ]
1146
0 Kudos
sw2090
Honored Contributor

Created on ‎05-18-2022 06:51 AM

you might have to convert it to a custom tunnel because otherwise there is various options you don't see in gui. Just fyi.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

1142
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.