Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jgillies01
Staff
Staff

Created on ‎11-04-2019 02:59 AM Edited on ‎04-06-2022 10:29 AM By Anonymous

Article Id 196946

Technical Tip: Multiple concurrent L2TP/IPsec access

Description
This article describes how to access L2TP/IPsec VPN tunnel from different Windows native clients behind the same NAT IP address.

Useful link:
Fortinet Documentation: New route-basedIPsec logic


Scope
FortiGate v5.6.3
FortiGate v6.0
FortiGate v6.2

Solution
Formerly FortiOS was creating only one Dialup interface for every L2TP/IPsec tunnel, so If two users are behind the same NAT device, only one of them could successfully access the tunnel.

As of FortiOS version 6.0 & 5.6.3, a new behavior is implemented for routing traffic to IPsec dialup tunnels.
A new option is added to IPsec phase1 configuration using this command:

# config vpn ipsec phase1-interface
edit “VPN-phase1”
set net-device enable
end 

net-device enable” creates dynamic interface for each dialer.
This helps FortiOS distinguish multiple requests coming from multiple Windows clients NATed by the same IP address.

 
 

 

8157
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.