vpn : l2tp
Use this command to enable L2TP and specify a local address range to reserve for remote L2TP clients. When a remote L2TP client connects to the internal network through a L2TP VPN, the client is assigned an IP address from the specified range.
L2TP clients must authenticate with the FortiGate unit when a L2TP session starts. To support L2TP authentication on the FortiGate unit, you must define the L2TP users who need access and then add them to a user group. For more information, see user group, user ldap, user local, and user radius.
You need to define a firewall policy to control services inside the L2TP tunnel. For more information, see “firewall”. When you define the firewall policy:
Create an “external -> internal” policy.
Set the source address to match the L2TP address range.
Set the destination address to reflect the private address range of the internal network behind the local FortiGate unit.
Set the policy service(s) to match the type(s) of traffic that L2TP users may generate.
Set the policy action to accept.
Enable NAT if required.
FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE) encryption only. Later implementations of Microsoft L2TP for Windows use IPSec and require certificates for authentication and encryption. If you want to use Microsoft L2TP with IPSec to connect to a FortiGate unit, the IPSec and certificate elements must be disabled on the remote client. For more information, see the Disabling Microsoft L2TP for IPSec article in the Fortinet Knowledge Center.
config vpn l2tp
set eip <address_ipv4>
set sip <address_ipv4>
set status {enable | disable}
set usrgrp <group_name>
You can configure L2TP VPNs on FortiGate units that run in NAT/Route mode. The commands are available in NAT/Route mode only. When you configure an L2TP address range for the first time, you must enter a starting IP address, an ending IP address, and a user group.
eip <address_ipv4>
The ending IP address of the L2TP address range.
sip <address_ipv4>
The starting IP address of the L2TP address range.
status {enable | disable}
Enable or disable L2TP VPN.
usrgrp <group_name>
This field is available when status is set to enable.
Enter the name of the user group for authenticating L2TP clients. The user group must be added to the FortiGate configuration before it can be specified here. For more information, see user group, user ldap, user local, and user radius.