Fortinet black logo

Handbook

L2TP configuration overview

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:300375
Download PDF

L2TP configuration overview

To configure a FortiGate unit to act as an LNS, you perform the following tasks:

  • Create an L2TP user group containing one user for each remote client.
  • Enable L2TP on the FortiGate unit and specify the range of addresses that can be assigned to remote clients when they connect.
  • Define firewall source and destination addresses to indicate where packets transported through the L2TP tunnel will originate and be delivered.
  • Create the security policy and define the scope of permitted services between the source and destination addresses.
  • Configure the remote clients.

Authenticating L2TP clients

L2TP clients must be authenticated before a tunnel is established. The authentication process relies on FortiGate user group definitions, which can optionally use established authentication mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All L2TP clients are challenged when a connection attempt is made.

To enable authentication, you must create user accounts and a user group to identify the L2TP clients that need access to the network behind the FortiGate unit.

You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS or LDAP server. If password protection will be provided through a RADIUS or LDAP server, you must configure the FortiGate unit to forward authentication requests to the authentication server.

Enabling L2TP and specifying an address range

The L2TP address range specifies the range of addresses reserved for remote clients. When a remote client connects to the FortiGate unit, the client is assigned an IP address from this range. Afterward, the FortiGate unit uses the assigned address to communicate with the remote client.

The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the remote client appear to be part of the internal network.

To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI command.

The following example shows how to enable L2TP and set the L2TP address range using a starting address of 192.168.10.80 and an ending address of 192.168.10.100 for an existing group of L2TP users named L2TP_users:

config vpn l2tp

set sip 192.168.10.80

set eip 192.168.10.100

set status enable

set usrgrp L2TP_users

end

Defining firewall source and destination addresses

Before you define the security policy, you must define the source and destination addresses of packets that are to be transported through the L2TP tunnel:

  • For the source address, enter the range of addresses that you reserved for remote L2TP clients (for example 192.168.10.[80-100]).
  • For the destination address, enter the IP addresses of the computers that the L2TP clients need to access on the private network behind the FortiGate unit (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or 192.168.10.[10-15] for an IP address range).
To define the firewall source address
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Select Address.
  3. In the Name field, type a name that represents the range of addresses that you reserved for remote clients (for example, Ext_L2TPrange).
  4. In Type, select IP Range.
  5. In the Subnet / IP Range field, type the corresponding IP address range.
  6. In Interface, select the FortiGate interface that connects to the clients.
  7. This is usually the interface that connects to the Internet.
  8. Select OK.
To define the firewall destination address
  1. Go to Policy & Objects > Addresses and select Create New.
  2. In the Address Name field, type a name that represents a range of IP addresses on the network behind the FortiGate unit (for example, Int_L2TPaccess).
  3. In Type, select IP Range.
  4. In the IP Range field, type the corresponding IP address range.
  5. In Interface, select the FortiGate interface that connects to the network behind the FortiGate unit.
  6. Select OK.

Adding the security policy

The security policy specifies the source and destination addresses that can generate traffic inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.

To define the traffic and services permitted inside the L2TP tunnel
  1. Go to Policy & Objects > IPv4 or Policy & Objects > IPv6 and select Create New.
  2. Enter these settings:
  3. Name Input a name for the policy.
    Incoming Interface Select the FortiGate interface to the Internet.
    Outgoing Interface Select the FortiGate interface to the internal (private) network.
    Source Address Select the name that corresponds to the address range that reserved for L2TP clients (for example, Ext_L2TPrange).
    Destination Address Select the name that corresponds to the IP addresses behind the FortiGate unit (for example, Int_L2TPaccess).
    Schedule Select ALWAYS, or if a select schedule is required instead, select a schedule that you defined previously.
    Service Select ALL, or if selected services are required instead, select the service group that you defined previously.
    Action ACCEPT
  4. Select OK.

Configuring a Linux client

This procedure outlines how to install L2TP client software and run an L2TP tunnel on a Linux computer. Obtain an L2TP client package that meets your requirements (for example, rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that supports encryption using IPsec.

To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP connections, you can obtain and install the client software following these guidelines:

  1. If encryption is required, you will need to verify the IPsec configuration.
  2. Download and install the L2TP client package.
  3. Configure an L2TP connection to run the L2TP program.
  4. Configure routes to determine whether all or some of your network traffic will be sent through the tunnel. You must define a route to the remote network over the L2TP link and a host route to the FortiGate unit.
  5. Run l2tpd to start the tunnel.

Follow the software supplier’s documentation to complete the steps.

To configure the system, you need to know the public IP address of the FortiGate unit, and the user name and password that has been set up on the FortiGate unit to authenticate L2TP clients. Contact the FortiGate administrator if required to obtain this information.

Monitoring L2TP sessions

You can display a list of all active sessions and view activity by port number. By default, port 1701 is used for L2TP VPN-related communications. If required, active sessions can be stopped from this view. Use FortiView > All Sessions.

Testing L2TP VPN connections

To confirm that a VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The VPN tunnel initializes when the dialup client attempts to connect.

Logging L2TP VPN events

You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection events and tunnel status (up/down) are logged.

To log VPN events - GUI
  1. Go to Log & Report > Log Settings.
  2. Enable the storage of log messages to one or more locations.
  3. Select Enable, and then select VPN activity event.
  4. Select Apply.
To log VPN events - CLI

config log memory setting

set diskfull overwrite

set status enable

end

config log eventfilter

set vpn enable

end

L2TP configuration overview

To configure a FortiGate unit to act as an LNS, you perform the following tasks:

  • Create an L2TP user group containing one user for each remote client.
  • Enable L2TP on the FortiGate unit and specify the range of addresses that can be assigned to remote clients when they connect.
  • Define firewall source and destination addresses to indicate where packets transported through the L2TP tunnel will originate and be delivered.
  • Create the security policy and define the scope of permitted services between the source and destination addresses.
  • Configure the remote clients.

Authenticating L2TP clients

L2TP clients must be authenticated before a tunnel is established. The authentication process relies on FortiGate user group definitions, which can optionally use established authentication mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All L2TP clients are challenged when a connection attempt is made.

To enable authentication, you must create user accounts and a user group to identify the L2TP clients that need access to the network behind the FortiGate unit.

You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS or LDAP server. If password protection will be provided through a RADIUS or LDAP server, you must configure the FortiGate unit to forward authentication requests to the authentication server.

Enabling L2TP and specifying an address range

The L2TP address range specifies the range of addresses reserved for remote clients. When a remote client connects to the FortiGate unit, the client is assigned an IP address from this range. Afterward, the FortiGate unit uses the assigned address to communicate with the remote client.

The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the remote client appear to be part of the internal network.

To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI command.

The following example shows how to enable L2TP and set the L2TP address range using a starting address of 192.168.10.80 and an ending address of 192.168.10.100 for an existing group of L2TP users named L2TP_users:

config vpn l2tp

set sip 192.168.10.80

set eip 192.168.10.100

set status enable

set usrgrp L2TP_users

end

Defining firewall source and destination addresses

Before you define the security policy, you must define the source and destination addresses of packets that are to be transported through the L2TP tunnel:

  • For the source address, enter the range of addresses that you reserved for remote L2TP clients (for example 192.168.10.[80-100]).
  • For the destination address, enter the IP addresses of the computers that the L2TP clients need to access on the private network behind the FortiGate unit (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or 192.168.10.[10-15] for an IP address range).
To define the firewall source address
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Select Address.
  3. In the Name field, type a name that represents the range of addresses that you reserved for remote clients (for example, Ext_L2TPrange).
  4. In Type, select IP Range.
  5. In the Subnet / IP Range field, type the corresponding IP address range.
  6. In Interface, select the FortiGate interface that connects to the clients.
  7. This is usually the interface that connects to the Internet.
  8. Select OK.
To define the firewall destination address
  1. Go to Policy & Objects > Addresses and select Create New.
  2. In the Address Name field, type a name that represents a range of IP addresses on the network behind the FortiGate unit (for example, Int_L2TPaccess).
  3. In Type, select IP Range.
  4. In the IP Range field, type the corresponding IP address range.
  5. In Interface, select the FortiGate interface that connects to the network behind the FortiGate unit.
  6. Select OK.

Adding the security policy

The security policy specifies the source and destination addresses that can generate traffic inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.

To define the traffic and services permitted inside the L2TP tunnel
  1. Go to Policy & Objects > IPv4 or Policy & Objects > IPv6 and select Create New.
  2. Enter these settings:
  3. Name Input a name for the policy.
    Incoming Interface Select the FortiGate interface to the Internet.
    Outgoing Interface Select the FortiGate interface to the internal (private) network.
    Source Address Select the name that corresponds to the address range that reserved for L2TP clients (for example, Ext_L2TPrange).
    Destination Address Select the name that corresponds to the IP addresses behind the FortiGate unit (for example, Int_L2TPaccess).
    Schedule Select ALWAYS, or if a select schedule is required instead, select a schedule that you defined previously.
    Service Select ALL, or if selected services are required instead, select the service group that you defined previously.
    Action ACCEPT
  4. Select OK.

Configuring a Linux client

This procedure outlines how to install L2TP client software and run an L2TP tunnel on a Linux computer. Obtain an L2TP client package that meets your requirements (for example, rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that supports encryption using IPsec.

To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP connections, you can obtain and install the client software following these guidelines:

  1. If encryption is required, you will need to verify the IPsec configuration.
  2. Download and install the L2TP client package.
  3. Configure an L2TP connection to run the L2TP program.
  4. Configure routes to determine whether all or some of your network traffic will be sent through the tunnel. You must define a route to the remote network over the L2TP link and a host route to the FortiGate unit.
  5. Run l2tpd to start the tunnel.

Follow the software supplier’s documentation to complete the steps.

To configure the system, you need to know the public IP address of the FortiGate unit, and the user name and password that has been set up on the FortiGate unit to authenticate L2TP clients. Contact the FortiGate administrator if required to obtain this information.

Monitoring L2TP sessions

You can display a list of all active sessions and view activity by port number. By default, port 1701 is used for L2TP VPN-related communications. If required, active sessions can be stopped from this view. Use FortiView > All Sessions.

Testing L2TP VPN connections

To confirm that a VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The VPN tunnel initializes when the dialup client attempts to connect.

Logging L2TP VPN events

You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection events and tunnel status (up/down) are logged.

To log VPN events - GUI
  1. Go to Log & Report > Log Settings.
  2. Enable the storage of log messages to one or more locations.
  3. Select Enable, and then select VPN activity event.
  4. Select Apply.
To log VPN events - CLI

config log memory setting

set diskfull overwrite

set status enable

end

config log eventfilter

set vpn enable

end