Configuring the FortiGate unit
To configure the FortiGate unit, you must:
- Configure LT2P users and firewall user group.
- Configure the L2TP VPN, including the IP address range it assigns to clients.
- Configure an IPsec VPN with encryption and authentication settings that match the Microsoft VPN client.
- Configure security policies.
Configuring LT2P users and firewall user group
Remote users must be authenticated before they can request services and/or access network resources through the VPN. The authentication process can use a password defined on the FortiGate unit or an established external authentication mechanism such as RADIUS or LDAP.
Creating user accounts
You need to create user accounts and then add these users to a firewall user group to be used for L2TP authentication. The Microsoft VPN client can automatically send the user’s Window network logon credentials. You might want to use these for their L2TP user name and password.
To create a user account - web-based manager
- Go to User & Device > User > User Definition and select Create New.
- Enter the User Name.
- Do one of the following:
- Select Password and enter the user’s assigned password.
- Select Match user on LDAP server, Match user on RADIUS server, or Match user onTACACS+ server and select the authentication server from the list. The authentication server must be already configured on the FortiGate unit.
- Select OK.
To create a user account - CLI
To create a user account called user1
with the password 123_user
, enter:
config user local
edit user1
set type password
set passwd "123_user"
set status enable
end
Creating a user group
When clients connect using the L2TP-over-IPsec VPN, the FortiGate unit checks their credentials against the user group you specify for L2TP authentication. You need to create a firewall user group to use for this purpose.
To create a user group - web-based manager
- Go to User & Device > User > User Groups, select Create New, and enter the following:
Name | Type or edit the user group name (for example, L2TP_group ) . |
Type | Select Firewall. |
Available Users/Groups | The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, or PKI users that can be added to the user group. To add a member to this list, select the name and then select the right arrow button. |
Members | The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, or PKI users that belong to the user group. To remove a member, select the name and then select the left arrow button. |
- Select OK.
To create a user group - CLI
To create the user group L2TP_group and add members User_1, User_2, and User_3, enter:
config user group
edit L2TP_group
set group-type firewall
set member User_1 User_2 User_3
end
Configuring L2TP
You can only configure L2TP settings in the CLI. As well as enabling L2TP, you set the range of IP address values that are assigned to L2TP clients and specify the user group that can access the VPN. For example, to allow access to users in the L2TP_group and assign them addresses in the range 192.168.0.50 to 192.168.0.59, enter:
config vpn l2tp
set sip 192.168.0.50
set eip 192.168.0.59
set status enable
set usrgrp "L2TP_group"
end
One of the security policies for the L2TP over IPsec VPN uses the client address range, so you need also need to create a firewall address for that range. For example,
config firewall address
edit L2TPclients
set type iprange
set start-ip 192.168.0.50
set end-ip 192.168.0.59
end
Alternatively, you could define this range in the web-based manager.
Configuring IPsec
The Microsoft VPN client uses IPsec for encryption. The configuration needed on the FortiGate unit is the same as for any other IPsec VPN with the following exceptions.
- Transport mode is used instead of tunnel mode.
- The encryption and authentication proposals must be compatible with the Microsoft client.
L2TP over IPsec is supported on the FortiGate unit using policy-based, not route-based configurations.
When configuring L2TP, do not name the VPN as "L2TP" as that will result in a conflict. |
Configuring Phase 1 - web-based manager
- Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
- Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
Name | Enter a name for this VPN, dialup_p1 for example. |
Remote Gateway | Dialup User |
Local Interface | Select the network interface that connects to the Internet. For example, port1. |
Mode | Main (ID protection) |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. This key must also be entered in the Microsoft VPN client. |
Advanced | Select Advanced to enter the following information. |
Phase 1 Proposal | Enter the following Encryption/Authentication pairs: AES256-MD5, 3DES-SHA1, AES192-SHA1 |
Diffie-Hellman Group | 2 |
NAT Traversal | Enable |
Dead Peer Detection | Enable |
Configuring Phase 1 - CLI
To create a Phase 1 configuration called dialup_p1 on a FortiGate unit that has port1 connected to the Internet, you would enter:
config vpn ipsec phase1
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
set dpd enable
end
Configuring Phase 2 - web-based manager
- Open the Phase 2 Selectors panel.
- Enter the following information and then select OK.
Phase 2 Proposal | Enter the following Encryption/Authentication pairs: AES256-MD5, 3DES-SHA1, AES192-SHA1 |
Enable replay detection | Enable |
Enable perfect forward secrecy (PFS) | Disable |
Keylife | 3600 seconds |
- Make this a transport-mode VPN. You must use the CLI to do this. If your Phase 2 name is dialup_p2, you would enter:
config vpn ipsec phase2
edit dialup_p2
set encapsulation transport-mode
end
Configuring Phase 2 - CLI
To configure a Phase 2 to work with your phase_1 configuration, you would enter:
config vpn ipsec phase2
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode
end
Configuring security policies
The security policies required for L2TP over IPsec VPN are:
- An IPsec policy, as you would create for any policy-based IPsec VPN
- A regular ACCEPT policy to allow traffic from the L2TP clients to access the protected network
Configuring the IPsec security policy - web-based manager
- Go to System > Config > Features and enable Policy-based IPsec VPN.
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Set the Action to IPsec and enter the following information:
Incoming Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Source Address | All |
Outgoing Interface | Select the FortiGate unit’s public interface. |
Destination Address | All |
VPN Tunnel | Select Use Existing and select the name of the Phase 1 configuration that you created. For example, dialup_p1. See Configuring IPsec. |
Allow traffic to be initiated from the remote site | enable |
- Select OK.
Configuring the IPsec security policy - CLI
If your VPN tunnel (Phase 1) is called dialup_p1, your protected network is on port2, and your public interface is port1, you would enter:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service all
set inbound enable
set vpntunnel dialup_p1
end
Configuring the ACCEPT security policy - web-based manager
- Go to Policy & Objects > Policy > IPv4 and select Create New.
- Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
- Enter the following information and select OK:
Incoming Interface | Select the FortiGate unit’s public interface. |
Source Address | Select the firewall address that you defined for the L2TP clients. |
Outgoing Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Destination Address | All |
Action | ACCEPT |
Configuring the ACCEPT security policy - CLI
If your public interface is port1, your protected network is on port2, and L2TPclients is the address range that L2TP clients use, you would enter:
config firewall policy
edit 1
set srcintf port1
set dstintf port2
set srcaddr L2TPclients
set dstaddr all
set action accept
set schedule always
set service all
end