Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Windows native l2tp ipsec: multiple connections on 1 wan and assign ip

First of all: new to fortigate so sorry if I write down info that doesn't make sense to you guys.



we have a draytek router that needs to be replaced as it breaks down constantly. We bought a fortigate 60e which I upgraded to latest firmware v7.0. I'm using the gui because is makes understanding the configurations a bit clearer than using cli so please provide answers using gui if possible.


What I have:

I've setup lan, wan, 2 vlans en 2 sites-site connections. I've also setup a native-windows l2tp-ipsec dialup vpn using the wizard. We have mulltiple laptops in the field already configured to so at the moment I want to use native windows vpn, and not ssl vpn I'm afraid.


What I don't have and want:

  • I can't see the user that connected to the dialup vpn, only that there's one connection. How can I see which user is connected in the gui?
  • I would like 2 groups of dial-up vpn users that will have access to different networks/ip's. I thought they need to get an ip in a different subnet (vlan?) so i can base policies on that. I created 2 user groups (let's say 'internal users' and 'external users' and 2 vlans (let say 'vpn_internal_users_vlan' and 'vpn_external_users_vlan'). I created a dial-in vpn using the wizard and selected 'internal users' and 'vpn_internal_users_vlan' and that works. I created firewall rules to allow internet via the vpn and access to the internal network. I created another vpn and selected the group 'external users' and 'vpn_external_users_vlan' hoping the username supplied when connecting would determine which subnet the user was assigned to (based on group). But I cannot connect both vpn's now. I tried with identical preshared keys and with different preshared keys but no go. I expect the forigate cannot determine which tunnel to use? Also a user can be member of 2 groups so It's logical this approach doen't work. Why do I want this:

    I want internal users that connect via vpn to be able to access certaint local en remote systems (firewalled by external ip so the must relay internet through vpn) and the external users should only be able to access specific internal servers. I tried add users in the firewall policies but that also doesn't work, no traffic is passing then.
  • If the above cannot be done by user, is there a way to assign a static ip to a user (no mac reservation or based on remote ip, they might connect from different computers at different locations) so I can base policies on that?


What I don't understand:

When I create a vpn using the wizard it created two interfaces: l2t.root and one with the name of the VPN tunnel. Also 2 policies are created: interface with vpn_tunnel_name -> Wan with service L2tp, and l2t.root->internal all services. I wanted to allow internet through vpn and added a policy using the interface with vpn_tunnel_name as source because that seemed logical. However that didn't work, I tries l2t.root and that did work. Why do I have 2 interfaces and why is the L2tp policy based on source iinterface vpn_tunnel_name and the 'allow traffic' policies on l2t.root?


Please help me out while explaining why certains changed/choice are made. I have basic knowledge of the networking aspects but am learning here. I configured the Draytek with above wishes without problems, but that is much more wizard-style and doesn't hide (or not show in GUI) configured items after the wizard is done, something the fortigate does...


I think you can start by reading this official document and the following guide for some explanations related to your queries. By your description it seems that you configured correctly the l2tp and the users (check the documents) but you are doing something wrong (expecting both to work when separating the users):


For monitoring logged users try Dashboard > Users and devices

for CLI (maybe): execute vpn sslvpn list // diag firewall auth list

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Top Kudoed Authors