Fortinet fortigate-100a Betriebsanweisung
264
01-28006-0068-20041105
Fortinet Inc.
Setting up a L2TP-based VPN
VPN
Setting up a L2TP-based VPN
To set up a L2TP VPN, you must configure both the FortiGate unit and the remote
Windows client.
Windows client.
To create an L2TP VPN configuration
1
Add a user group to the FortiGate unit.
The L2TP clients must be authenticated before being allowed to start a VPN tunnel.
To enable authentication, you must add a user group to the FortiGate unit. Within the
user group, add a user for each L2TP client. You can add users to the FortiGate user
database, to authentication servers (RADIUS or LDAP), or to both. See
To enable authentication, you must add a user group to the FortiGate unit. Within the
user group, add a user for each L2TP client. You can add users to the FortiGate user
database, to authentication servers (RADIUS or LDAP), or to both. See
2
Enable L2TP and specify a L2TP address range.
The L2TP address range is the range of addresses reserved for remote L2TP clients.
When a remote L2TP client connects to the internal network using L2TP, the client
computer is assigned an IP address from this range. The L2TP address range can be
on any subnet. See
When a remote L2TP client connects to the internal network using L2TP, the client
computer is assigned an IP address from this range. The L2TP address range can be
on any subnet. See
3
Add a source address.
The source address is the L2TP range. See
.
4
Add a destination address.
The destination address is the address to which the L2TP clients can connect. For
example, if the destination address is on the internal network, you would create an
external-to-internal policy to control the access that L2TP users have through the
FortiGate unit. Typically you would add only one destination address, for the entire
internal subnetwork. See
example, if the destination address is on the internal network, you would create an
external-to-internal policy to control the access that L2TP users have through the
FortiGate unit. Typically you would add only one destination address, for the entire
internal subnetwork. See
5
Add an external-to-internal firewall policy.
The firewall policy specifies the source and destination addresses and sets the
service for the policy to the traffic type inside the L2TP VPN tunnel. For example, if
you want L2TP clients to be able to access a web server, set the service to HTTP.
See
service for the policy to the traffic type inside the L2TP VPN tunnel. For example, if
you want L2TP clients to be able to access a web server, set the service to HTTP.
See
6
Configure the Windows client. See:
•
.
•
.
Enabling L2TP and specifying an L2TP range
The L2TP address range is the range of addresses reserved for remote L2TP clients.
When a remote Windows client connects to the internal network using L2TP, the client
computer is assigned an IP address from this range. The L2TP address range can be
on any subnet.
When a remote Windows client connects to the internal network using L2TP, the client
computer is assigned an IP address from this range. The L2TP address range can be
on any subnet.