Fortinet white logo
Fortinet white logo

Cookbook

L2TP over IPsec

L2TP over IPsec

This is an example of L2TP over IPsec.

This example uses a locally defined user for authentication, a Windows PC or Android tablet as the client, and net‑device is set to enable in the phase1‑interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

To configure L2TP over an IPsec tunnel using the GUI:
  1. Go to VPN > IPsec Wizard.

  2. Enter a VPN Name. In this example, L2tpoIPsec.
  3. Configure the following settings for VPN Setup:
    1. For Template Type, select Remote Access.
    2. For Remote Device Type, select Native and Windows Native.
    3. Click Next.
  4. Configure the following settings for Authentication:
    1. For Incoming Interface, select port9.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. For User Group, select L2tpusergroup
    5. Click Next.
  5. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select port10.
    2. Configure the Local Address as 172.16.101.0.
    3. Configure the Client Address Range as 10.10.10.1-10.10.10.100.
    4. Leave the Subnet Mask at its default value.
    5. Click Create.
To configure L2TP over an IPsec tunnel using the CLI:
  1. Configure the WAN interface and static route on HQ.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end   
  2. Configure IPsec phase1-interface and phase2-interface on HQ.
    config vpn ipsec phase1-interface
        edit "L2tpoIPsec"
            set type dynamic
            set interface "port9"
            set peertype any
            set proposal aes256-md5 3des-sha1 aes192-sha1
            set dpd on-idle
            set dhgrp 2
            set net-device enable
            set psksecret sample
            set dpd-retryinterval 60
        next
    end
    config vpn ipsec phase2-interface
        edit "L2tpoIPsec"
            set phase1name "L2tpoIPsec"
            set proposal aes256-md5 3des-sha1 aes192-sha1
            set pfs disable
            set encapsulation transport-mode
            set l2tp enable
        next
    end
  3. Configure a user and user group on HQ.
    config user local
        edit "usera"
            set type password
            set passwd usera
            next
    end
    config user group
        edit "L2tpusergroup"
            set member "usera"
        next
    end
  4. Configure L2TP on HQ.
    config vpn l2tp
        set status enable
        set eip 10.10.10.100
        set sip 10.10.10.1
        set usrgrp "L2tpusergroup"
    end
  5. Configure a firewall address that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established.
    config firewall address
        edit "L2TPclients"
            set type iprange
            set start-ip 10.10.10.1
            set end-ip 10.10.10.100
        next
    end
  6. Configure a firewall policy.
    config firewall policy
        edit 1
            set name "Bridge_IPsec_port9_for_l2tp negotiation"
            set srcintf "L2tpoIPsec"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "L2TP"
        next
        edit 2
            set srcintf "L2tpoIPsec"
            set dstintf "port10"
            set srcaddr "L2TPclients"
            set dstaddr "172.16.101.0"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To view the VPN tunnel list on HQ:
diagnose vpn tunnel list

list all ipsec tunnel in vd 0
----
name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg 
 parent=L2tpoIPsec index=0
proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0
stat: rxp=470 txp=267 rxb=57192 txb=12679
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
  src: 17:22.1.1.1-22.1.1.1:1701
  dst: 17:10.1.100.15-10.1.100.15:0
  SA:  ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048
       seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0
  life: type=01 bytes=0/0 timeout=3585/3600
  dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc
       ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432
  enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9
       ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a
  dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744
  npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0
----
name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg 
 parent=L2tpoIPsec index=1
proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0
stat: rxp=5 txp=4 rxb=592 txb=249
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=64916
proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
  src: 17:22.1.1.1-22.1.1.1:1701
  dst: 17:22.1.1.2-22.1.1.2:0
  SA:  ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048
       seqno=5 esn=0 replaywin_lastseq=00000005 itn=0
  life: type=01 bytes=0/0 timeout=28790/28800
  dec: spi=ca646446 esp=aes key=32 ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e
       ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec
  enc: spi=0b514df2 esp=aes key=32 a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196
       ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d
  dec:pkts/bytes=5/245, enc:pkts/bytes=4/464
  npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0
To view the L2TP VPN status:
diagnose debug enable
diagnose vpn l2tp status
----
----

HQ # Num of tunnels: 2
----
Tunnel ID = 1 (local id), 42 (remote id)  to 10.1.100.15:1701 
   control_seq_num = 2, control_rec_seq_num = 4,
   last recv pkt = 2
Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1,
      assigned ip = 10.10.10.2
      data_seq_num = 0,
      tx = 152 bytes (2), rx= 21179 bytes (205)
Tunnel ID = 3 (local id), 34183 (remote id)  to 22.1.1.2:58825 
   control_seq_num = 2, control_rec_seq_num = 4,
   last recv pkt = 2
Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2,
      assigned ip = 10.10.10.3
      data_seq_num = 0,
      tx = 152 bytes (2), rx= 0 bytes (0)
----
--VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100
        enforece-ipsec = false
----

L2TP over IPsec

L2TP over IPsec

This is an example of L2TP over IPsec.

This example uses a locally defined user for authentication, a Windows PC or Android tablet as the client, and net‑device is set to enable in the phase1‑interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

To configure L2TP over an IPsec tunnel using the GUI:
  1. Go to VPN > IPsec Wizard.

  2. Enter a VPN Name. In this example, L2tpoIPsec.
  3. Configure the following settings for VPN Setup:
    1. For Template Type, select Remote Access.
    2. For Remote Device Type, select Native and Windows Native.
    3. Click Next.
  4. Configure the following settings for Authentication:
    1. For Incoming Interface, select port9.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. For User Group, select L2tpusergroup
    5. Click Next.
  5. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select port10.
    2. Configure the Local Address as 172.16.101.0.
    3. Configure the Client Address Range as 10.10.10.1-10.10.10.100.
    4. Leave the Subnet Mask at its default value.
    5. Click Create.
To configure L2TP over an IPsec tunnel using the CLI:
  1. Configure the WAN interface and static route on HQ.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end   
  2. Configure IPsec phase1-interface and phase2-interface on HQ.
    config vpn ipsec phase1-interface
        edit "L2tpoIPsec"
            set type dynamic
            set interface "port9"
            set peertype any
            set proposal aes256-md5 3des-sha1 aes192-sha1
            set dpd on-idle
            set dhgrp 2
            set net-device enable
            set psksecret sample
            set dpd-retryinterval 60
        next
    end
    config vpn ipsec phase2-interface
        edit "L2tpoIPsec"
            set phase1name "L2tpoIPsec"
            set proposal aes256-md5 3des-sha1 aes192-sha1
            set pfs disable
            set encapsulation transport-mode
            set l2tp enable
        next
    end
  3. Configure a user and user group on HQ.
    config user local
        edit "usera"
            set type password
            set passwd usera
            next
    end
    config user group
        edit "L2tpusergroup"
            set member "usera"
        next
    end
  4. Configure L2TP on HQ.
    config vpn l2tp
        set status enable
        set eip 10.10.10.100
        set sip 10.10.10.1
        set usrgrp "L2tpusergroup"
    end
  5. Configure a firewall address that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established.
    config firewall address
        edit "L2TPclients"
            set type iprange
            set start-ip 10.10.10.1
            set end-ip 10.10.10.100
        next
    end
  6. Configure a firewall policy.
    config firewall policy
        edit 1
            set name "Bridge_IPsec_port9_for_l2tp negotiation"
            set srcintf "L2tpoIPsec"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "L2TP"
        next
        edit 2
            set srcintf "L2tpoIPsec"
            set dstintf "port10"
            set srcaddr "L2TPclients"
            set dstaddr "172.16.101.0"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To view the VPN tunnel list on HQ:
diagnose vpn tunnel list

list all ipsec tunnel in vd 0
----
name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg 
 parent=L2tpoIPsec index=0
proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0
stat: rxp=470 txp=267 rxb=57192 txb=12679
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
  src: 17:22.1.1.1-22.1.1.1:1701
  dst: 17:10.1.100.15-10.1.100.15:0
  SA:  ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048
       seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0
  life: type=01 bytes=0/0 timeout=3585/3600
  dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc
       ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432
  enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9
       ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a
  dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744
  npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0
----
name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg 
 parent=L2tpoIPsec index=1
proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0
stat: rxp=5 txp=4 rxb=592 txb=249
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=64916
proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
  src: 17:22.1.1.1-22.1.1.1:1701
  dst: 17:22.1.1.2-22.1.1.2:0
  SA:  ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048
       seqno=5 esn=0 replaywin_lastseq=00000005 itn=0
  life: type=01 bytes=0/0 timeout=28790/28800
  dec: spi=ca646446 esp=aes key=32 ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e
       ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec
  enc: spi=0b514df2 esp=aes key=32 a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196
       ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d
  dec:pkts/bytes=5/245, enc:pkts/bytes=4/464
  npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0
To view the L2TP VPN status:
diagnose debug enable
diagnose vpn l2tp status
----
----

HQ # Num of tunnels: 2
----
Tunnel ID = 1 (local id), 42 (remote id)  to 10.1.100.15:1701 
   control_seq_num = 2, control_rec_seq_num = 4,
   last recv pkt = 2
Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1,
      assigned ip = 10.10.10.2
      data_seq_num = 0,
      tx = 152 bytes (2), rx= 21179 bytes (205)
Tunnel ID = 3 (local id), 34183 (remote id)  to 22.1.1.2:58825 
   control_seq_num = 2, control_rec_seq_num = 4,
   last recv pkt = 2
Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2,
      assigned ip = 10.10.10.3
      data_seq_num = 0,
      tx = 152 bytes (2), rx= 0 bytes (0)
----
--VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100
        enforece-ipsec = false
----