Configuring security policies
The security policies required for L2TP over IPsec VPN are:
• An IPsec policy, as you would create for any policy-based IPsec VPN
• A regular ACCEPT policy to allow traffic from the L2TP clients to access the protected network
Configuring the IPsec security policy - web-based manager
1. Go to System > Config > Features and enable Policy-based IPsec VPN.
2. Go to Policy & Objects > Policy > IPv4 and select Create New.
3. Set the Action to IPsec and enter the following information:
Local Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Local Protected Subnet | All |
Outgoing VPN Interface | Select the FortiGate unit’s public interface. |
Remote Protected Subnet | All |
VPN Tunnel | Select Use Existing and select the name of the Phase 1 configuration that you created. For example, dialup_p1. See “Configuring IPsec”. |
Allow traffic to be initiated from the remote site | enable |
4. Select OK.
Configuring the IPsec security policy - CLI
If your VPN tunnel (Phase 1) is called dialup_p1, your protected network is on port2, and your public interface is port1, you would enter:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service ANY
set inbound enable
set vpntunnel dialup_p1
end
Configuring the ACCEPT security policy - web-based manager
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information and select OK:
Incoming Interface | Select the FortiGate unit’s public interface. |
Source Address | Select the firewall address that you defined for the L2TP clients. |
Outgoing Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Destination Address | All |
Action | ACCEPT |
Configuring the ACCEPT security policy - CLI
If your public interface is port1, your protected network is on port2, and L2TPclients is the address range that L2TP clients use, you would enter:
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr L2TPclients
set dstaddr all
set action accept
set schedule always
set service ANY
end