I use the Fortigate60E as firewall and router behind a DSL modem. The FGT is connected to the DMZ port of the DSL modem (FritzBox 7360). I'm able to log in to the FritzBox on port 442, and the management port of the FGT is HTTPS: 444. I'm also able to login to the FGT from a remote desktop. The Physical settup is: Internet (public IP) <--> Frtizbox (192.168.1.1) <--> (192.168.1.20) Fortigate 60E <--> (192.168.2.1/24) Lan Clients. The Lan Clients is on port 2 (as Interface, not as LAN port).
port 2 (internal1) has static IP adress 192.168.2.1 with DHCP Server (s.i.p: 192.168.2.10, e.i.p: 192.168.2.254) no Secondary IP Address. The wan1 interface has addressing mode: DHCP (from FritzBox, which assigns static IP address: 192.168.1.20) with Acquired DNS 192.168.1.1 and Default Gateway: 192.168.1.1 (= FritzBox LAN port 1). Retrieve default gateway from server is on and Override internal DNS is also on.
I'm also able to port forward VOIP settings to a local PBX server and WebDav ports to a NAS in the local network. When I create a IPSec tunnel with the IPSec Wizard and choose for Remote Access and Windows Native, and fill in all settings:
2) Incoming Interface: Wan1 (192.168.1.20), Pre-shared key, User Group (VPN-Users)
3) Local interface: Lan-Clients (192.168.2.1/24), Local Address: all, Client Address Range: 10.10.100.1-10.10.100.100, Subnet Mask: 255.255.255.255
When I try to connect from remote Client I see the tunnel is coming up, but the VPN Events only are showing negotiate failures on the IPSec phase 1 connector.
What should I do to make this work?? I've spend days searching the Forti Cookbook and forums and Youtube video's, but it won't work..
Please help!
There are a few things that I don't understand:
1- you state that the FB is used as a modem but on the other hand it hands down a private IP address to the FGT - so it's routing, right?
I'm familiar with a modem setup in front of the FGT where the modem is in 'brigde' or 'pass-through' mode and the PPPoE handling of the ADSL WAN line is completely done on the FGT. Here, the wan port receives the public IP address which makes many things less complicated. I'm not sure a FB can be put into that mode - you could designate a LAN port of it as "exposed host". The transfer network between FB and FGT doesn't need to be dynamic at all, a static setup would be appropriate (but this is not the reason for the tunnel failure).
2- the VPN needs to handle NAT traversal. I've got no clue whether a L2TP tunnel can do that, NAT-T is a IPsec feature.
3- you need a static route on the FGT for the client LAN address space, i.e. 10.10.100.0/24, pointing to the tunnel interface. Otherwise, traffic with these source addresses will be dropped by the FGT as 'unknown'.
BTW, the mask you posted is a /32 and good for nothing. Probably a typo.
Hello Ede,
Thank you for your reply.
1 - Indeed the FB is a DSL modem connected with the DSL port to internet. The FGT is with its WAN1 port connected to LAN port 1 of the FB. The FGT is getting a internal IP, so indeed the FB is routing. But I also markt port1 of the FB as Exposed port, so thats why I can connect to the FGT from the public IP of the FB. Unfortunately I can't setup the FB in bridge or pass-through mode. This model doesn't support that. And beside that, the customer don't have the username/password for the DSL connection to setup the PPPoE settings in the FGT.
2 - The tunnel I'm trying to create is a L2TP-IPSec tunnel, so I think this should be possible?
3 - I've tried to create the tunnel on several ways, thru the Wizard, as cusom VPN tunnel, with CLI. The only time the tunnel is getting up is when I created the tunnel with the wizard. The wizard also creates the Address (Eqraft_Goes_Range) as a IP Range (10.10.100.1-10.10.100.100) and creates two IPv4 Rules from VPN tunnel to Wan1 (NAT disabled, source and destination "All", Service: "L2TP") and from VPN tunnel to Lan Clients (NAT enabled, source: "Eqraft_Goes_Range", destination: "All", Service: "All")
Should I also create a static route? and how should that look like?
Thank you for helping me.
Hi All,
I've created a ticket with the support department, after some testing they tell me it isn't possible to create and use a L2TP-IPsec VPN tunnel, because this FGT is on the LAN site of a DSL modem/router....:
Thank you for the nice update. As I research about your issue and figure it out Since your FGT is behind an internet modem(with a private IP) this L2TP/IPsec(Microsoft VPN) config is not supported. L2TP/IPSec on Windows only supports transport-mode(does not work well with port forwarding and NAT). Because of this, the FGT requires a routable public IP address on it's WAN interface.
Can annybody tell me if it is possible or not?
If it isn't possible, how can I give remote workers the best way to connect to the private network? I've tried a SSL-VPN with the Forticlient, but then I get a symetric bandwith and the DSL line is 111Mbps download and 33 Mbps upload.... The SSL-VPN only could copy files from remote to local (and also from local to remote side) with +/- 28 Mbps..
Hoping somebody can help..
Hi all,
Does anybody know how I can test were it is going wrong? When I diagnose on the FGT with a sniffer on port 500 and 4500 I see (192.168.1.20 = IP of Wan1):
Wan1 in (public IP of remote laptop).501 -> 192.168.1.20.500 :udp 408
Wan1 out 192.168.1.20.500 -> (public IP of remote laptop).501 :udp 188
Wan1 in (public IP of remote laptop).501 -> 192.168.1.20.500 :udp 260
Wan1 out 192.168.1.20.500 -> (public IP of remote laptop).501 :udp 228
Wan1 in (public IP of remote laptop).4501 -> 192.168.1.20.4500 :udp 72
Wan1 out 192.168.1.20.4500 -> (public IP of remote laptop).4501 :udp 72
Wan1 in (public IP of remote laptop).4501 -> 192.168.1.20.4500 :udp 64
Wan1 in (public IP of remote laptop).4501 -> 192.168.1.20.4500 :udp 440
and so on.
I really need a solution for our customer for remote workers to connect to the company lan.
But I can't figure it out where the problem is..
Hi InventX,
What is the FOS version you used on your FGT60E?
L2TP over IPsec tunnel cannot established on FGT60E with FOS5.4.0 build5568, but it is fixed now.
Please try the newest build.
Thanks,
Jining
Hi Jining,
Thank you very much for your reply, and also for your statement it should work (with the newest build).
The Firmware version I'm running and testing on is v5.4.3, build 5873. So I thinks that's ok?
Looking forward to read how I can establish an safe connection for remote workers (without the FortiClient, SSL-VPN connection) to the local Lan.
Regards,
Leander.
Hi Jining,
Those settings I also tried on the remote user. Can you confirm that your FGT is connected to a DLS router? So the Wan1 port of the FGT is connected to a Lan port of a DSL router and gets a private IP address instead of the public IP address? Because thats the situation I have. On our main office we have a FGT connected to the Internet with PPPoE and the Wan1 port of that FGT gets a Public IP address. With the same laptop of the remote worker I'm able to connect to the main office, but not to the 2nd office (with the FGT connected to a DSL router).
Thanks,
Leander.
Hi Leander,
I don't have DSL router in my test bed.
Would you post packet capture files for port500 and 4500, and "d debug application ike -1" output on FGT if possible?
Thanks,
Jining
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.