Deploying a lightweight VPN option for remote clients that balances compatibility, security, and ease of deployment is a common requirement for administrators. This guide walks through configuring L2TP over IPsec on a FortiGate device with practical, technical detail — from prerequisite checks to CLI snippets, firewall policies, and troubleshooting tips. The goal is a stable, secure remote-access solution suitable for site administrators, developers, and enterprise IT teams.
Why choose L2TP over IPsec on FortiGate
L2TP (Layer 2 Tunneling Protocol) combined with IPsec provides strong encryption while retaining native client support across Windows, macOS, and many mobile platforms. FortiGate’s implementation integrates with local user databases or external authentication sources (RADIUS/LDAP) and can be tied into existing security policies and address pools.
Key advantages:
- Native client support on major OSs — no extra client for many endpoints.
- IPsec provides confidentiality and integrity (ESP) with negotiated encryption suites.
- Granular control — tie remote users to IP pools, apply policies, logging, and NAT as needed.
Prerequisites and design decisions
Before starting, verify the following:
- FortiOS version supports L2TP-over-IPsec (most modern FortiOS releases do).
- Publicly routable IP on the WAN interface (or proper NAT traversal if behind a NAT device).
- Firewall and upstream devices allow UDP 500/4500 and IP protocol 50 (ESP) as needed.
- A user database (local users or external RADIUS/LDAP) configured for remote authentication.
- Address pool for assigning client IPs that do not overlap your internal subnets.
High-level configuration flow
Configuration is typically done in this order:
- Create user accounts or configure external authentication.
- Configure an IP pool for L2TP clients.
- Define IPsec Phase 1 and Phase 2 settings (IKEv1 or IKEv2 as required).
- Create an L2TP interface tied to the IPsec configuration.
- Apply firewall policies to allow traffic from VPN clients to internal resources and the internet (if needed).
- Optional: Configure split tunneling, DNS settings, and logging.
Sample CLI configuration (step-by-step)
The following CLI snippets illustrate a common setup: IPsec IKEv1 with L2TP, a local user, and a small IP pool. Adapt names, IPs, and encryption suites for your environment.
1) Create a local user and group
Use local users for small deployments. For enterprise, point to RADIUS or LDAP.
config user local
edit "l2tp-user"
set type password
set passwd
next
end
config user group
edit "L2TP_Users"
set member "l2tp-user"
next
end2) Create an IP pool for L2TP clients
config firewall ippool
edit "L2TP_POOL"
set startip 10.10.10.2
set endip 10.10.10.50
next
end3) IPsec Phase1 (IKE) configuration
This example uses IKEv1 mode with aggressive exchange for dynamic remote clients. For stronger security, use IKEv2 where available and supported by your clients.
config vpn ipsec phase1-interface
edit "L2TP_P1"
set type dynamic
set interface "wan1"
set mode aggressive
set net-device enable
set proposal aes256-sha1
set dhgrp 14
set psksecret
next
end4) Phase2 and L2TP interface
config vpn ipsec phase2-interface
edit "L2TP_P2"
set phase1name "L2TP_P1"
set proposal aes256-sha1
set pfs disable
set keepalive enable
next
end
config system interface
edit "L2TP_IF"
set vdom "root"
set ip 0.0.0.0 0.0.0.0
set type tunnel
set snmp-index 0
set remote-ip 0.0.0.0
next
endNote: FortiGate maps the L2TP traffic to a virtual interface. The actual mapping may vary by FortiOS version. Adjust commands accordingly for your release (some versions use a built-in L2TP server config).
5) Bind authentication and IP pool
Configure the FortiGate L2TP server behavior so authenticated users receive an IP from the pool and are associated with the user group.
config vpn l2tp
set status enable
set ippool "L2TP_POOL"
set auth "L2TP_Users"
set ipsec enable
endIf your FortiOS release lacks a direct config vpn l2tp stanza, use the GUI option under VPN -> L2TP or follow vendor docs for the exact CLI path on your firmware.
6) Firewall policies and NAT
Permit traffic from the L2TP interface to internal resources and (optionally) to the internet. If clients need internet access through the FortiGate, apply NAT on the outbound policy.
config firewall policy
edit 0
set name "L2TP-to-LAN"
set srcintf "L2TP_IF"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 0
set name "L2TP-to-Internet"
set srcintf "L2TP_IF"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set nat enable
set schedule "always"
set service "ALL"
next
endClient configuration and settings
OS clients must be configured for L2TP over IPsec:
- Set VPN type to “L2TP/IPsec” (Windows: choose “L2TP/IPsec” in built-in VPN client).
- Enter FortiGate WAN IP as the server address.
- Enter the username/password; set machine/user authentication as required.
- Under advanced settings, set the pre-shared key for IPsec and enable “Use preshared key for authentication”.
- For Windows, ensure the “Use default gateway on remote network” is enabled for full tunneling; disable for split-tunnel setups and configure routes accordingly.
Security hardening and recommendations
Prefer IKEv2 where supported — it offers faster rekeying, better NAT traversal, and modern cryptographic defaults. If using IKEv1, avoid legacy ciphers (MD5, DES) and prefer AES-GCM or AES-SHA families.
Additional hardening:
- Use strong PSKs or deploy certificate-based authentication for Phase 1 where possible.
- Limit connection sources with firewall policies and address restrictions.
- Implement multi-factor authentication (MFA) through RADIUS if supported.
- Enable logging and monitor VPN sessions for anomalous usage.
Troubleshooting checklist
When connections fail, check the following in order:
- Network reachability: can the client ping the FortiGate public IP?
- Port availability: ensure UDP 500 and 4500 and IP protocol 50 (ESP) are permitted by any upstream firewall/NAT.
- Phase1/Phase2 mismatches: review proposals and DH groups — client and FortiGate must match.
- Authentication errors: verify PSK and user credentials. If using RADIUS, check RADIUS logs.
- IP pool exhaustion: ensure available addresses for new sessions.
- FortiGate logs: VPN event logs show negotiation failures and often provide actionable error codes.
Example debug commands
Useful FortiGate CLI debug commands:
- Diagnose IPSec tunnels:
diagnose vpn ike gateway list— shows Phase1 status. - Session debug:
diagnose vpn ike log-filter dst-addr4thendiagnose debug application ike -1; diagnose debug enableto view negotiation steps. - View current VPN sessions:
get vpn ipsec tunnel summary(output varies by FortiOS).
Common pitfalls and operational notes
Be mindful of these operational realities:
- Double NAT scenarios often break IPsec unless NAT-T (UDP 4500) is functioning. Ensure clients and intermediate devices support NAT traversal.
- Split tunneling reduces bandwidth usage on your gateway but may expose clients to split-path security risks — decide based on policy.
- Mobile clients may experience frequent rekeying; tune rekey timers if needed for long-lived mobile use.
Deploying L2TP over IPsec on FortiGate can be a robust solution for many remote access needs when configured with secure ciphers, appropriate authentication, and well-crafted firewall policies. Test thoroughly with representative client OS versions and maintain logs for operational visibility. When scaling beyond a handful of users, consider certificate-based authentication and RADIUS with MFA for better security and manageability.
For further resources and detailed firmware-specific examples, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.