vpn : pptp
Use this command to enable PPTP and specify a local address range to reserve for remote PPTP clients. When a remote PPTP client connects to the internal network through a PPTP VPN, the client is assigned an IP address from the specified range or from the server defined in the PPTP user group.
PPTP clients must authenticate with the FortiGate unit when a PPTP session starts. To support PPTP authentication on the FortiGate unit, you must define the PPTP users who need access and then add them to a user group. For more information, see user group, user ldap, user local, user radius, user peer, and user peergrp.
You need to define a firewall policy to control services inside the PPTP tunnel. For more information, see “firewall”. When you define the firewall policy:
Create an “external -> internal” policy.
Set the source address to match the PPTP address range.
Set the destination address to reflect the private address range of the internal network behind the local FortiGate unit.
Set the policy service(s) to match the type(s) of traffic that PPTP users may generate.
Set the policy action to accept.
Enable NAT if required.
When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP client IP from a local address range or use the server defined in the PPTP user group. You select which method to use for IP address retrieval and, in the case of the user group server, provide the IP address and the user group.
The FortiGate unit retrieves the Framed-IP-Address (the actual IP address of the client) from the RADIUS accounting start/stop message when ip-mode is set to usrgrp.
config vpn pptp
set eip <address_ipv4>
set ip-mode {range | usrgrp}
set local-ip <address_localip>
set sip <address_ipv4>
set status {enable | disable}
set usrgrp <group_name>
You can configure PPTP VPNs on FortiGate units that run in NAT/Route mode. The commands are available in NAT/Route mode only. When you configure a PPTP address range for the first time, you must enter a starting IP address, an ending IP address, and a user group.
eip <address_ipv4>
The ending address of the PPTP address range.
ip-mode {range | usrgrp}
Select one of:
range — Assign user IP addresses from the IP address range of configured by sip and eip.
usrgrp — Retrieve the IP address from the user group used to authenticate the user. Select the user group in usrgrp.
local-ip <address_localip>
Enter the IP address to be used for the peer’s remote IP on the PPTP client side.
sip <address_ipv4>
The starting address of the PPTP IP address range.
status {enable | disable}
Enable or disable PPTP VPN.
usrgrp <group_name>
This field is available when ip-mode is set to usrgrp.
Enter the name of the user group for authenticating PPTP clients. The user group must be added to the FortiGate configuration before it can be specified here. For more information, see user group, user ldap, user local, user radius, user peer, and user peergrp