Description
L2TP is mostly used by clients who do not wish to install any client (such as FortiClient), but need to establish a secure and encrypted VPN connection. Windows native client can be used for L2TP connection.
On firmware 5.2.0 onwards, there is an option to configure L2TP in interface/route based IPsec VPN. If WAN load balancing is being used in 5.2/5.4/5.6 and there is a need to configure L2TP, interface/route based L2TP can be used to achieve it.
Solution
The following sample configuration can be used to configure L2TP using interface/route based IPsec VPN:
config vpn l2tp
set eip 10.10.10.100
set sip 10.10.10.1
set status enable
set usrgrp "L2TP_Group"
end
config vpn ipsec phase1-interface
edit "L2TP"
set type dynamic
set interface "port9"
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set psksecret <password>
next
end
config vpn ipsec phase2-interface
edit "L2TP-p2"
set phase1name "L2TP"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
next
end
config firewall policy
edit 0
set name "L2TP policy"
set srcintf "L2TP"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "L2TP"
next
end
config firewall policy
edit 0
set name "IPsec policy"
set srcintf "L2TP"
set dstintf "LAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
For policy-based configuration refer to the Fortinet Cookbook: cookbook.fortinet.com/l2tp-ipsec-vpn-on-fortigate/
