| Description | This article describes how to configure L2TP VPN for Windows machines in an example scenario where FortiGates are deployed on a Cloud service such as AWS (especially when FortiGate is behind the NAT device). |
| Scope | FortiOS 7.2.3. |
| Solution | 
In this case, the public IP at the AWS end is 1.1.1.1. IP 1.1.1.1 is connected with NAT to FortiGate through PORT1. The IP is 10.0.0.1/24.
Interface configuration:
config system interface edit "port1" set vdom "root" set ip 10.0.0.1 255.255.255.0 set allowaccess ping https ssh http telnet set type physical set snmp-index 1 next edit "port7" set vdom "root" set ip 192.168.90.1/255.255.248.0 set allowaccess ping https ssh http telnet set type physical next end
Step 1: Configure users.
Create the following config in the CLI:
config user local edit "fortinet" set type password set passwd <- Set a password here. next end
Step 2: Configure a group.
Create the following config in the CLI:
config user group edit "L2TP-USERS" set member "fortinet" next end
Step 3: Configure L2TP, assigning the l2tp-group and mentioning the range of IP addresses to assign to the clients.
Create the following config in the CLI:
config vpn l2tp set status enable set eip 172.16.1.254 <- The end IP assigned to the windows client. set sip 172.16.1.1 <- The start IP assigned to the windows client. set usrgrp "L2TP-USERS" end
Step 4: Configure IPSec Phase1 and Phase2.
Create the following config in the CLI:
config vpn ipsec phase1-interface edit "L2TP-VPN" set type dynamic set interface "port1" <- Incoming interface. set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set comments "VPN: L2TP-VPN (Created by VPN wizard)" set dhgrp 2 set wizard-type dialup-windows set psksecret <- Set password here. next end
Note: 'net-device' must be enabled in order to allow multiple VPN connections from behind the same NAT device (same public IP address).
config vpn ipsec phase2-interface edit "L2TP-VPN" set phase1name "L2TP-VPN" set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable set encapsulation transport-mode set l2tp enable set comments "VPN: L2TP-VPN (Created by VPN wizard)" set keylifeseconds 3600 next end
Step 5: Configure the Firewall Policy.
Create the following config in the CLI:
config firewall policy edit 1 set name "vpn_L2TP-VPN_l2tp set srcintf "L2TP-VPN" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "L2TP" set comments "VPN: L2TP-VPN (Created by VPN wizard)" next edit 2 set name "vpn_L2TP-VPN_remote_0" set srcintf "l2t.root" set dstintf "port7" <- LAN Interface. set action accept set srcaddr "L2TP-VPN_range" set dstaddr "192.168.40.0/21" <- LAN Subnet. set schedule "always" set service "ALL" set nat enable set comments "VPN: L2TP-VPN (Created by VPN wizard)" next end
In a Windows PC, NAT-T is required for a successful VPN connection, especially when FortiGate is behind NAT. By default, Windows PCs do not support NAT-T. It is therefore necessary to make registry changes to support NAT-T.
Open the Registry Editor (regedit.exe) and find the following registry key:
Create a DWORD parameter under it with the name AssumeUDPEncapsulationContextOnSendRule and the value 2, then restart the computer.
After, the L2TP VPN configuration should be similar to the below screenshot on the PC:
 |
