Friday, February 15, 2013

L2TP setup Fortigate 200B 4.0MR3p12

In this blog we will explore  my l2TP configurations on a Fortigate FW appliance

1st here's the design;

Okay here's the configuration;


Setup the L2TP daemon settings


config vpn l2tp

    set eip

    set sip

    set status enable

    set usrgrp "Roadwarriors"


The usergroup known as Roadwarriors give only those users access via L2TP.

 show user group Roadwarriors
config user group
    edit "Roadwarriors"
            set member "kfelix" "Jill" "Mike" "Louis" "Rey" "Alan"            


Now we go for the fun parts; "we craft our ipsec phase1 & phase 2 settings" ;
config vpn ipsec phase1

    edit "l2tp_dialupRA01"

        set type dynamic

        set interface "EXT_NET01"

        set dhgrp 2

        set proposal aes256-md5 3des-sha1 aes192-sha1

        set psksecret  mysecuredpsk_make_a_strong_key


config vpn ipsec phase2

    edit "l2tp_dialupRA01p2p2"

        set encapsulation transport-mode

        set pfs disable

        set phase1name "l2tp_dialupRA01"

        set proposal aes256-md5 3des-sha1 aes192-sha1

        set keylifeseconds 3600


Key points to take away upto this point;

  • L2TP uses  the transport-mode vrs tunnel-mode for ipsec
  • For windows/mac/iphone/android ; the crypto proposals  aes256-md5 and 3des-sha1 are supported
  • disable pfs
  • create the pool of address big enough to cover your needs, growth and the users
  • place the users in a group that you want access ( user group )


we now must craft a fwpolicy

NOTE: I crafted a  firewall address for my L2tp range

Okay now you have the basic configuration in place, we can give it a try. In this example I'm using my macosx client. The user kfelix@blahblah was crafted as a local user on the fortigate.

To trouble shoot;

  • make sure your username password is correct
  • make sure the server specified in the  configuration is correct ( correct ip_addr/hostname/etc )
  • ensure you type the PSK  correctly
  • use the following  diag debug cmds on the  fortigate 


fw01 # diag debug application  l2tp 255

fw01 # diag debug en

fw01 # diag debug console

When a end-user authenticates and is assigned an address, the debug output will show  you the following;


L2TPD 97: 179:Connection established to, 51942.  Local: 1, Remote: 8.

L2TPD 29: 166:Starting call (launching pppd, opening GRE)

L2TPD 25: 334:Client control connection started (id 1), assigned ip

NOTE:c and your diag vpn tunnel list will have a entry that co-relates to the client's address

diag vpn tunnel  list name l2tp_dialupRA01_0

list ipsec tunnel by names in vd 0


name=l2tp_dialupRA01_0 ver=1 serial=c X.X.X.2:4500->X.X.X.155:1205 lgwy=static tun=tunnel mode=dial_inst bound_if=27

parent=l2tp_dialupRA01 index=0

proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0

stat: rxp=252 txp=126 rxb=42992 txb=12309

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=7

natt: mode=silent draft=32 interval=10 remote_port=1205

proxyid=l2tp_dialupRA01p2p2 proto=17 sa=1 ref=2 auto_negotiate=0 serial=1 transport-mode

  src: 17:X.X.X.2-X.X.X.2:1701

  dst: 17:X.X.X.155-X.X.X.155:51942

  SA: ref=4 options=00000006 type=00 soft=0 mtu=1424 expire=3415 replaywin=2048 seqno=7f

  life: type=01 bytes=0/0 timeout=3590/3600

  dec: spi=e17a8329 esp=aes key=32 cfed5ed6d2f7c3934b172c2ca6572a16a1db68d5d135220ed73a032a43fb39c9

       ah=md5 key=16 dce803b15318bd87822d05c7edd87db0

  enc: spi=05604708 esp=aes key=32 ad8c14dee466147f9fa1f8ba313693a2f0c342eb46f911016f4d7cf03dca556a

       ah=md5 key=16 8793434295200d87885aab46505d38be

  npu_flag=00 npu_rgwy=X.X.X.155 npu_lgwy=X.X.X.2 npu_selid=b, dec:pkts/bytes=252/24811, enc:pkts/bytes=126/18976

I hope this post helps you with your l2tP configurations and with fortigate firewalls

Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed  . com

1 comment:

  1. Hello Ken, what i found out is that creating only the l2tp configuration allows the l2tp client to connect without even adding the IPSEC portion and any policy. Im able to ping to the L2TP client from one of the internal servers and honestly, thats make no sense to me. Any help would be really appreciated.