Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Windows native l2tp ipsec: multiple connections on...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows native l2tp ipsec: multiple connections on 1 wan and assign ip
First of all: new to fortigate so sorry if I write down info that doesn't make sense to you guys.
Situation:
we have a draytek router that needs to be replaced as it breaks down constantly. We bought a fortigate 60e which I upgraded to latest firmware v7.0. I'm using the gui because is makes understanding the configurations a bit clearer than using cli so please provide answers using gui if possible.
What I have:
I've setup lan, wan, 2 vlans en 2 sites-site connections. I've also setup a native-windows l2tp-ipsec dialup vpn using the wizard. We have mulltiple laptops in the field already configured to so at the moment I want to use native windows vpn, and not ssl vpn I'm afraid.
What I don't have and want:
- I can't see the user that connected to the dialup vpn, only that there's one connection. How can I see which user is connected in the gui?
- I would like 2 groups of dial-up vpn users that will have access to different networks/ip's. I thought they need to get an ip in a different subnet (vlan?) so i can base policies on that. I created 2 user groups (let's say 'internal users' and 'external users' and 2 vlans (let say 'vpn_internal_users_vlan' and 'vpn_external_users_vlan'). I created a dial-in vpn using the wizard and selected 'internal users' and 'vpn_internal_users_vlan' and that works. I created firewall rules to allow internet via the vpn and access to the internal network. I created another vpn and selected the group 'external users' and 'vpn_external_users_vlan' hoping the username supplied when connecting would determine which subnet the user was assigned to (based on group). But I cannot connect both vpn's now. I tried with identical preshared keys and with different preshared keys but no go. I expect the forigate cannot determine which tunnel to use? Also a user can be member of 2 groups so It's logical this approach doen't work. Why do I want this:
I want internal users that connect via vpn to be able to access certaint local en remote systems (firewalled by external ip so the must relay internet through vpn) and the external users should only be able to access specific internal servers. I tried add users in the firewall policies but that also doesn't work, no traffic is passing then. - If the above cannot be done by user, is there a way to assign a static ip to a user (no mac reservation or based on remote ip, they might connect from different computers at different locations) so I can base policies on that?
What I don't understand:
When I create a vpn using the wizard it created two interfaces: l2t.root and one with the name of the VPN tunnel. Also 2 policies are created: interface with vpn_tunnel_name -> Wan with service L2tp, and l2t.root->internal all services. I wanted to allow internet through vpn and added a policy using the interface with vpn_tunnel_name as source because that seemed logical. However that didn't work, I tries l2t.root and that did work. Why do I have 2 interfaces and why is the L2tp policy based on source iinterface vpn_tunnel_name and the 'allow traffic' policies on l2t.root?
Please help me out while explaining why certains changed/choice are made. I have basic knowledge of the networking aspects but am learning here. I configured the Draytek with above wishes without problems, but that is much more wizard-style and doesn't hide (or not show in GUI) configured items after the wizard is done, something the fortigate does...
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can start by reading this official document and the following guide for some explanations related to your queries. By your description it seems that you configured correctly the l2tp and the users (check the documents) but you are doing something wrong (expecting both to work when separating the users):
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/386346/l2tp-over-ipsec
For monitoring logged users try Dashboard > Users and devices
for CLI (maybe): execute vpn sslvpn list // diag firewall auth list
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/247320/monitoring-authenticated-users
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,701 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.