L2TP over IPsec
Creating a User Group
To create a VPN tunnel via IPsec, you need to create users who will be granted access and combine them into a group. The process for creating users and groups is similar to the previous section.
IPSec Wizard
To configure L2TP over an IPsec tunnel:
-
Go to VPN → IPsec Wizard.
-
Select the Remote Access template type.
-
For Remote Device Type, select Native and Windows Native.
-
In the Name field, enter a name for the tunnel.
-
Specify the Incoming Interface to which connections will come (in this case, it is wan1).
-
Select Pre-shared Key in Authentication Method and enter the value of the secret key in the field below. In the future, this key will need to be entered on the client when configuring a VPN connection.
-
In the User Group parameter, enter the group you created under Creating a User Group.
-
At the Policy & Routing stage, specify the local interface to which remote clients will connect, in the drop-down menu.
-
In the Local Address parameter, specify the subnet to which users will have access. In this case, the all address object is selected.
-
To select a specific subnet, click + and select an address from the existing ones.
-
To create an address in the pop-up window, click Create or Policy & Objects → Addresses → Create New.
-
In the Client Address Range field, specify the pool of addresses that will be assigned to remote clients upon connection.
-
Make sure that these addresses don’t match the internal addressing.
-
Leave the default Subnet Mask.
-
Click Create.
After that, a tunnel is created, and a summary of created objects appears on the screen.
Configuring a Connection on a Windows client
To configure a VPN connection in Windows:
- Go to Network and Sharing Center → Set up a new connection or network .
- Select Connect to a workplace in the new window, then — Use my Internet connection (VPN).
- Enter the FortiGate IP address in the Internet address field.
- Enter a name for the connection in the Destination name field.
- After that, the created connection will appear among the available networks.
- Go to the Change adapter settings tab in the Network and Sharing Center window.
- Select the created VPN connection from the networks that appear.
- Right-click Properties.
- Go to the Security tab in the Properties window.
- Select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) in the Type of VPN parameter.
- Go to Advanced settings.
- Select the Use preshared for authentication parameter.
- Enter the secret key value that was entered earlier when configuring the tunnel in the Key field.
- Click OK to connect.
- Enter the username you created earlier and the password.