Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    5.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    L2TP IPsec VPN on FortiGate

    L2TP IPsec VPN on FortiGate

    In this recipe, you will learn how to create an L2TP IPsec tunnel that allows remote users running the Windows 7 L2TP client to securely connect to a private network.

    The FortiGate implementation of L2TP enables a remote user to establish an L2TP IPsec tunnel with the FortiGate. For the tunnel to work you configure a remote client (abhassan) to connect using an L2TP IPsec VPN connection.

    This recipe assumes that the FortiGate unit is operating in NAT/Route mode and that it has a static public IP address. This recipe is designed as a policy-based IPsec VPN, not route-based.

    Most of the configuration occurs in the CLI Console, as L2TP settings are not configurable in the GUI. You can access the FortiGate CLI Console from the FortiGate GUI using the administration menu or from the CLI Console Dashboard widget.

    1. Creating an L2TP user and user group

    Go to User & Device > User Definition and create a new L2TP user via the creation wizard (abhassan).

    Next go to User & Device > User Groups and create a new user group for L2TP users (L2TP-group), and add abhassan to the group.

    2. Enabling L2TP in the CLI Console

    Enter the following CLI command to set up an L2TP tunnel that includes the user group just created and defines the L2TP client IP address range (start IP (sip) to end IP (eip)):

    config vpn l2tp
    set sip 10.20.100.1
    set eip 10.20.100.101
    set status enable
    set usrgrp L2TP-group
end

    3. Configuring the L2TP/IPsec phases

    Enter the following CLI command to configure Phase 1 (named l2tp-p1 below):

    config vpn ipsec phase1
    edit l2tp-p1
        set type dynamic
        set interface wan1
        set dhgrp 2
        set keylife 86400
        set peertype dialup
        set dpd disable
        set proposal 3des-sha1 aes192-sha1 aes256-md5
        set usrgrp L2TP-group
        set psksecret <preshared_key>
    next
end

    Enter the following CLI command to configure Phase 2 (named l2tp-p2 below):

    config vpn ipsec phase2
    edit l2tp-p2
        set phase1name l2tp-p1
        set l2tp enable
        set proposal 3des-sha1 aes192-sha1 aes256-md5
        set pfs disable
        set encapsulation transport-mode
        set keylifeseconds 86400
    next
end

    4. Creating a firewall address for L2TP clients

    Go to Policy & Objects > Addresses and create a new firewall address.

    Enter a Name, set Type to IP Range, and enter the same IP range as configured earlier when enabling L2TP in the CLI Console.

    5. Creating Security Policy for access to the internal network and the Internet

    Go to System > Feature Select, enable Policy-based IPsec VPN, and select Apply.

    Next go to Policy & Objects > IPv4 Policy, and create an IPsec VPN security policy that allows inbound and outbound traffic.

    Set Incoming Interface to the internal network and Source Address to all.

    Set Outgoing Interface to wan1, Destination Address to all, Service to ALL, and Action to IPsec.

    Under VPN Tunnel, select Use Existing and select the name of the Phase 1 configuration that you created (l2tp-p1).

    6. Configuring a remote Windows 7 L2TP client

    On a PC, open the Start menu, search for VPN, and select Set up a virtual private network (VPN) connection.

    Enter the FortiGate's IP address, enter a Destination name, and make sure to select the Don't connect now… checkbox. Then select Next.

    Enter the same User name and Password as configured earlier on the FortiGate and select Create.

    The connection is now ready to use. Select Close.

    Next, go to Start > Control Panel > Network and Sharing Center and select Connect to a network.

    Open the L2TP VPN configured earlier.

    Enter the L2TP IPsec VPN's user credentials and select Connect.

    You will then be connected to the VPN.

    7. Results

    On the FortiGate, go to Monitor > IPsec Monitor. The tunnel shows a Status of Up, with incoming and outgoing data.

    You can also go to Log & Report > VPN Events, where you can select an entry and view more details. The user has been assigned an IP address from within the L2TP client range.

    Previous
    Next

    L2TP IPsec VPN on FortiGate

    L2TP IPsec VPN on FortiGate

    In this recipe, you will learn how to create an L2TP IPsec tunnel that allows remote users running the Windows 7 L2TP client to securely connect to a private network.

    The FortiGate implementation of L2TP enables a remote user to establish an L2TP IPsec tunnel with the FortiGate. For the tunnel to work you configure a remote client (abhassan) to connect using an L2TP IPsec VPN connection.

    This recipe assumes that the FortiGate unit is operating in NAT/Route mode and that it has a static public IP address. This recipe is designed as a policy-based IPsec VPN, not route-based.

    Most of the configuration occurs in the CLI Console, as L2TP settings are not configurable in the GUI. You can access the FortiGate CLI Console from the FortiGate GUI using the administration menu or from the CLI Console Dashboard widget.

    1. Creating an L2TP user and user group

    Go to User & Device > User Definition and create a new L2TP user via the creation wizard (abhassan).

    Next go to User & Device > User Groups and create a new user group for L2TP users (L2TP-group), and add abhassan to the group.

    2. Enabling L2TP in the CLI Console

    Enter the following CLI command to set up an L2TP tunnel that includes the user group just created and defines the L2TP client IP address range (start IP (sip) to end IP (eip)):

    config vpn l2tp
    set sip 10.20.100.1
    set eip 10.20.100.101
    set status enable
    set usrgrp L2TP-group
end

    3. Configuring the L2TP/IPsec phases

    Enter the following CLI command to configure Phase 1 (named l2tp-p1 below):

    config vpn ipsec phase1
    edit l2tp-p1
        set type dynamic
        set interface wan1
        set dhgrp 2
        set keylife 86400
        set peertype dialup
        set dpd disable
        set proposal 3des-sha1 aes192-sha1 aes256-md5
        set usrgrp L2TP-group
        set psksecret <preshared_key>
    next
end

    Enter the following CLI command to configure Phase 2 (named l2tp-p2 below):

    config vpn ipsec phase2
    edit l2tp-p2
        set phase1name l2tp-p1
        set l2tp enable
        set proposal 3des-sha1 aes192-sha1 aes256-md5
        set pfs disable
        set encapsulation transport-mode
        set keylifeseconds 86400
    next
end

    4. Creating a firewall address for L2TP clients

    Go to Policy & Objects > Addresses and create a new firewall address.

    Enter a Name, set Type to IP Range, and enter the same IP range as configured earlier when enabling L2TP in the CLI Console.

    5. Creating Security Policy for access to the internal network and the Internet

    Go to System > Feature Select, enable Policy-based IPsec VPN, and select Apply.

    Next go to Policy & Objects > IPv4 Policy, and create an IPsec VPN security policy that allows inbound and outbound traffic.

    Set Incoming Interface to the internal network and Source Address to all.

    Set Outgoing Interface to wan1, Destination Address to all, Service to ALL, and Action to IPsec.

    Under VPN Tunnel, select Use Existing and select the name of the Phase 1 configuration that you created (l2tp-p1).

    6. Configuring a remote Windows 7 L2TP client

    On a PC, open the Start menu, search for VPN, and select Set up a virtual private network (VPN) connection.

    Enter the FortiGate's IP address, enter a Destination name, and make sure to select the Don't connect now… checkbox. Then select Next.

    Enter the same User name and Password as configured earlier on the FortiGate and select Create.

    The connection is now ready to use. Select Close.

    Next, go to Start > Control Panel > Network and Sharing Center and select Connect to a network.

    Open the L2TP VPN configured earlier.

    Enter the L2TP IPsec VPN's user credentials and select Connect.

    You will then be connected to the VPN.

    7. Results

    On the FortiGate, go to Monitor > IPsec Monitor. The tunnel shows a Status of Up, with incoming and outgoing data.

    You can also go to Log & Report > VPN Events, where you can select an entry and view more details. The user has been assigned an IP address from within the L2TP client range.

    Previous
    Next