Fortinet white logo
Fortinet white logo

L2TP over IPsec configuration needs to be manually updated after upgrading from 6.4.x or 7.0.0 to 7.0.1 and later

L2TP over IPsec configuration needs to be manually updated after upgrading from 6.4.x or 7.0.0 to 7.0.1 and later

If the setting is not manually updated after upgrading, the VPN connection will be established, but it will not be accessible from the internal network (office network). This setting change is necessary regardless of whether route-based or policy-based IPsec is used.

To make L2TP over IPsec work after upgrading:
  1. Add a static route for the IP range configured in vpn l2tp. For example, if the L2TP setting in the previous version's root VDOM is:

    config vpn l2tp
        set eip 210.0.0.254
        set sip 210.0.0.1
        set status enable
        set usrgrp "L2tpusergroup"
    end

    Add a static route after upgrading:

    config router static
        edit 1
            set dst 210.0.0.0 255.255.255.0
            set device "l2t.root"
        next
    end
  2. Change the firewall policy source interface tunnel name to l2t.VDOM.

L2TP over IPsec configuration needs to be manually updated after upgrading from 6.4.x or 7.0.0 to 7.0.1 and later

L2TP over IPsec configuration needs to be manually updated after upgrading from 6.4.x or 7.0.0 to 7.0.1 and later

If the setting is not manually updated after upgrading, the VPN connection will be established, but it will not be accessible from the internal network (office network). This setting change is necessary regardless of whether route-based or policy-based IPsec is used.

To make L2TP over IPsec work after upgrading:
  1. Add a static route for the IP range configured in vpn l2tp. For example, if the L2TP setting in the previous version's root VDOM is:

    config vpn l2tp
        set eip 210.0.0.254
        set sip 210.0.0.1
        set status enable
        set usrgrp "L2tpusergroup"
    end

    Add a static route after upgrading:

    config router static
        edit 1
            set dst 210.0.0.0 255.255.255.0
            set device "l2t.root"
        next
    end
  2. Change the firewall policy source interface tunnel name to l2t.VDOM.