Chapter 11 IPsec VPN for FortiOS 5.0 : L2TP and IPsec (Microsoft VPN) : Configuring the FortiGate unit : Configuring security policies
  
Configuring security policies
The security policies required for L2TP over IPsec VPN are:
an IPSEC policy, as you would create for any policy-based IPsec VPN
a regular ACCEPT policy to allow traffic from the L2TP clients to access the protected network
Configuring the IPSEC security policy - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type as VPN and leave the Policy Subtype as IPsec.
3. Enter the following information and select OK:
Local Interface
Select the interface that connects to the private network behind this FortiGate unit.
Local Protected Subnet
All
Outgoing VPN Interface
Select the FortiGate unit’s public interface.
Remote Protected Subnet
All
VPN Tunnel
Select Use Existing and select the name of the phase 1 configuration that you created. For example, dialup_p1. See “Configuring IPsec”.
Allow traffic to be initiated from the remote site
enable
Configuring the IPSEC security policy - CLI
If your VPN tunnel (phase 1) is called dialup_p1, your protected network is on port2, and your public interface is port1, you would enter:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service ANY
set inbound enable
set vpntunnel dialup_p1
end
Configuring the ACCEPT security policy - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information and select OK:
Incoming Interface
Select the FortiGate unit’s public interface.
Source Address
Select the firewall address that you defined for the L2TP clients.
Outgoing Interface
Select the interface that connects to the private network behind this FortiGate unit.
Destination Address
All
Action
ACCEPT
Configuring the ACCEPT security policy - CLI
If your public interface is port1, your protected network is on port2, and L2TPclients is the address range that L2TP clients use, you would enter:
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr L2TPclients
set dstaddr all
set action accept
set schedule always
set service ANY
end