Fortigate CLI L2TP and IPsec (Microsoft VPN) Configuration Instructions

 
L2TP and IPsec (Microsoft VPN) Configuration Instructions
The following section consists of configuring the FortiGate unit and configuring the Windows PC.
 
*Original Fortigate article URL:
 http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/L2TP_and_IPsec/Config_Overview.htm
 
1. Creating user account
To create a user account called vpnuser with the password 123_user, enter:
config user local
edit vpnuser
set type password
set passwd "123_user"
set status enable
end
 
2.Create a user group
To create the user group L2TP_group and add members User_1, User_2, and User_3, enter:
config user group
edit L2TP_group
set group-type firewall
set member User_1 User_2 User_3
end
 
3. Configuring L2TP
config vpn l2tp
set sip 192.168.0.50
set eip 192.168.0.59
set status enable
set usrgrp "L2TP_group"
end
 
4. Create a firewall address range
config firewall address
edit L2TPclients
set type iprange
set start-ip 192.168.0.50
set end-ip 192.168.0.59
end
 
5. Configuring Phase 1
To create a Phase 1 configuration called dialup_p1 on a FortiGate unit that has port1 connected to the Internet, you would enter:
config vpn ipsec phase1
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
end
 
6. Configuring Phase 2
Open the Phase 2 Selectors panel.
To configure a Phase 2 to work with your phase_1 configuration, you would enter:
config vpn ipsec phase2
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode
end
 
7. Configuring the IPsec security policy
If your VPN tunnel (Phase 1) is called dialup_p1, your protected network is on port2, and your public interface is port1, you would enter:
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service all
set inbound enable
set vpntunnel dialup_p1
end
 
8. Configuring the ACCEPT security policy
If your public interface is port1, your protected network is on port2, and L2TPclients is the address range that L2TP clients use, you would enter:
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr L2TPclients
set dstaddr all
set action accept
set schedule always
set service all
end
 
*********************************************
Done
*********************************************
 
Configuring the Windows PC
Configuration of the Windows PC for a VPN connection to the FortiGate unit consists of the following:
 
Configuring a VPN network connection
1. Open "Network and Sharing Center"
This is available through the Control Panel.
2. Double-click "Set up a new connection or network" Wizard
Towards the bottom of the screen
2. Select Connect to the network at my workplace.
3. Select Next.
4. Create a new connection
5. Select Use my internet connection(VPN)
6. Enter WAN IP for "Internet Address"
7. Enter the vpn's location for "Destination Name"
8. click Create
9. Done