Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Fortigate L2tp IPsec vpn || Windows native || unable to connect ||

Fortigate L2TP IPsec vpn - Windows native

L2tp IPsec vpn configuration using GUI -

Below are the following steps what I have configured in Fortigate Firewall for L2tp IPsec vpn.

Step1 - Fistly created local user let's suppose - test, password test123.
Step2 - created one group the name of group vpn_group and added that local user in vpn_group.
Step3 - Now I went to VPN section and under the vpn section, selected IPsec Wizard.
Name - L2tp_IPsecvpn
template type - Remote access vpn
Remote device type - native then next windows native
Step4 - Authentication
preshared key - test@123
usergroup - vpn_group
Step5 - In Policy & Routing
Local interface - Port2 which is connected to LAN switch
Local address - 50.1.2.0/24
Client address range - 1.1.1.100 - 1.1.1.110
subnetmask - 255.255.255.255 (leave default)

then click ok.

Now Policy configuration -

Incoming interface - tunnel interface
Outgoing interface - port2 (which is connected to LAN switch)
source address - 1.1.1.100 - 1.1.1.110 (vpn range address)
outgoing address - local address ( 50.1.2.0/24)
internet services - all
Schedule -always
Service - all
action - Ipsec
NAT disabled

Applied security polices - IPS,APP,Antivirus

log enable

ok.


In windows machine -

Windows, click on Start >> Settings >> Network & Internet >> VPN >> Add a VPN connection.

server address - 192.168.77.2 (WAN interface IP of the fortigate firewall - port1)
vpn type - preshared key - test@123
username & password - test, test123

 

Blow is the network digram for example - 

l2.JPG

 


Having configured these things, My windows machine is not able to connecte through this L2tp Ipsec vpn.

Can you anybody have a look this configuration throughly and correct If in case of there are any missing.

thank you for your help.

 

 

8 REPLIES 8
Anonymous
Not applicable

Hello

 

Can you try following and croschecking with this really good step by step setup guide and see if something is missing from your end

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-connect-Windows-10-client-to-L2TP-V...

 

And to further troubleshoot after following the above config guide please follow and share debugs according to :

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-L2TP-in-IPsec-connectivity-issues/ta...

Umesh

Thant's great but there is no any policy configured as per the screenshots.

 

Can you mention here what would be the policy.

 

Waiting for your reply....thank you in advance

Umesh

Hi, 

I would like to tell you, I had gone through your link what you had shared, but L2TP IPsec tunnel is showing down.

Umesh_0-1671853367478.png

and here are the policy -

 

Umesh_1-1671853409605.png

Can you please find the error and let me know why tunnel is showing down.

funkylicious

Hi,
Have you tried connecting?

Also, to find the error you should do some debug on your end and see why it isn't working, I can only guess and my guessing goes so far when there are no logs provided of the issue.

Here is a guide to start from, while trying to connect and it isnt working.

geek
geek
Umesh
Contributor

Thant's great but there is no any policy configured as per the screenshots.

 

Can you mention here what would be the policy.

msanjaypadma

Hi Umesh,

As per attached screenshot for firewall policy noticed that you have configured the L2tp_VPN interface for accessing local subnet in firewall policy name : "vpn_L2tp_vpn_remote". 

If its related to local private traffic , then please try changing src interface  as below.

src interface : "l2t.root"

 

And still issue persist, share below command logs. 

 

show firewall policy

show vpn l2tp

show router static | grep -f l2tp

show vpn ipsec phase1-interface <phase1name>

show vpn ipsec phase2-interface <phase2name>

 

Thanks,

Mayur Padma

Mayur Padma
joseP

Hello I have same problem  ( I can not conect by IPsec on a native conection in windows)

I created my conection with wizard and my command logs

show firewall policy

FWF-c1 # show firewall policy

config firewall policy
edit 3
set status disable
set name "internet monitorizada"
set uuid 7e1835ac-3923-51ed-76eb-af72c1ba7b33
set srcintf "internal"
set dstintf "masmovil"
set action accept
set srcaddr "monitorizados"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "custom-deep-inspection"
set videofilter-profile "videos_infantiles"
set logtraffic all
set nat enable
next
edit 10
set name "dentro_horario_TV"
set uuid cb5aaa7a-49cb-51ee-7473-b021990eba8f
set srcintf "internal"
set dstintf "masmovil"
set action accept
set srcaddr "monitorizados"
set dstaddr "all"
set schedule "tiempo_TV"
set service "ALL"
set nat enable
next
edit 11
set name "fuera_horario_TV"
set uuid 4533eefa-49cd-51ee-799d-3e2576aa93f3
set srcintf "internal"
set dstintf "masmovil"
set srcaddr "monitorizados"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 1
set name "internet"
set uuid 9e277430-3bdf-51ec-cbbe-6efca33f1fdc
set srcintf "internal"
set dstintf "masmovil"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
edit 2
set status disable
set name "DNS server"
set uuid 1ec72de8-3bf8-51ec-6ebe-b35ea3ed84b6
set srcintf "masmovil"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "DNSserver" "DNSserver-udp"
set schedule "always"
set service "DNS"
set logtraffic all
set nat enable
next
edit 4
set name "vpn_s34-Alboraya_local_0"
set uuid 527ad1ca-7cbc-51ed-183f-3133c3b2bd76
set srcintf "internal"
set dstintf "s34-Alboraya"
set action accept
set srcaddr "s34-Alboraya_local"
set dstaddr "s34-Alboraya_remote"
set schedule "always"
set service "ALL"
set comments "VPN: s34-Alboraya (Created by VPN wizard)"
next
edit 5
set name "vpn_s34-Alboraya_remote_0"
set uuid 5305c000-7cbc-51ed-9310-84eb6144ba85
set srcintf "s34-Alboraya"
set dstintf "internal"
set action accept
set srcaddr "s34-Alboraya_remote"
set dstaddr "s34-Alboraya_local"
set schedule "always"
set service "ALL"
set comments "VPN: s34-Alboraya (Created by VPN wizard)"
next
edit 6
set name "SSL-VPN tunnel"
set uuid 607e9b00-8f61-51ed-6f7e-5a06124b9c1b
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "s34-Alboraya_local_subnet_1" "s34-Alboraya_remote_subnet_1" "s34-Alboraya_remote_subnet_2" "s34-Alboraya_remote_subnet_3"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set nat enable
set groups "puebla"
next
edit 9
set name "webserver"
set uuid b982a470-916a-51ed-78b7-9cfae0d17cfa
set srcintf "masmovil"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "http"
set schedule "always"
set service "HTTP"
set nat enable
next
edit 12
set name "vpn_puebla-L2TP_l2tp"
set uuid 7f48f4a6-4c74-51ee-69e6-0efccaa380b9
set srcintf "puebla-L2TP"
set dstintf "masmovil"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "L2TP"
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
next
edit 13
set name "vpn_puebla-L2TP_remote_0"
set uuid 7f57632e-4c74-51ee-28c8-1e64175dd3b8
set srcintf "l2t.root"
set dstintf "internal"
set action accept
set srcaddr "puebla-L2TP_range"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
next
end

 

show vpn l2tp

FWF-c1 # show vpn l2tp
config vpn l2tp
set status enable
set eip 192.168.55.110
set sip 192.168.55.100
set usrgrp "L2TP-users"
end

 

show router static | grep -f l2tp

-- none displayed --

 

show vpn ipsec phase1-interface <phase1name>

FWF-c1 # show vpn l2tp
config vpn l2tp
set status enable
set eip 192.168.55.110
set sip 192.168.55.100
set usrgrp "L2TP-users"
end

FWF-c1 # show router static | grep -f l2tp

FWF-c1 # show vpn ipsec phase1-interface puebla-L2TP
config vpn ipsec phase1-interface
edit "puebla-L2TP"
set type dynamic
set interface "masmovil"
set peertype any
set net-device disable
set proposal aes256-md5 3des-sha1 aes192-sha1
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
set dhgrp 2
set wizard-type dialup-windows
set psksecret ENC KWUqAa1eTqKnS2YLPM+znkO6nhYetodHIDrIH2YzXeoInfYySXb6kJ+IGvxu5wEB366cqaDNmaBqWJIbgkgWKGDgDSs0KJ6W7g48uMzZSD2DcA/LL99sakhMI18RraIzpdjdeG0
Zbf+Fn3kBlotHHj3kQP6IXaDz2P8ocYUEO2My3t5Ehv2VE1ANJeQ9t05u2149uQ==
next
end

 

show vpn ipsec phase2-interface <phase2name>

FWF-c1 # show vpn ipsec phase2-interface puebla-L2TP
config vpn ipsec phase2-interface
edit "puebla-L2TP"
set phase1name "puebla-L2TP"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
set comments "VPN: puebla-L2TP (Created by VPN wizard)"
set keylifeseconds 3600
next
end

 

Thank you in advance.

 

 

 

 

 

 

funkylicious
Contributor III

Hi,

In step 4 the incoming interface is the one that the user will connect to, in your case port1.

Can you confirm that you did this ?

Also, does your FortiGate have a route back to your client through port1 ?

geek
geek
Labels
Top Kudoed Authors