FortiGate User Authentication Version 1 Guide
22
01-28007-0233-20050825
VPN authentication
Configuring authenticated access
You must create user accounts and user groups before performing the procedures
in this section. If you create a user group for dialup IPSec clients or peers that
have unique peer IDs, their user accounts must be stored locally on the FortiGate
unit. You cannot authenticate these types of users using a RADIUS or LDAP
server.
Authenticating PPTP and L2TP VPN users
On FortiGate units, configuration for PPTP and L2TP VPNs is very similar. The
procedures in this section apply to both types.
To configure authentication for a PPTP or L2TP VPN - web-based manager
1
Configure the users who are permitted to use this VPN. Create a user group and
add them to it.
For more information, see
“Users and user groups” on page 15
.
2
Go to
VPN > PPTP
or
VPN > L2TP
as required.
3
Select Enable PPTP or Enable L2TP.
4
Enter Starting IP and Ending IP addresses. This defines the range of addresses
assigned to VPN clients.
5
Select the user group that is to have access to this VPN. The FortiGate unit
authenticates members of this user group.
6
Select Apply.
To configure authentication for a PPTP or L2TP VPN - CLI
config vpn pptp
set eip <starting_ip>
set sip <ending_ip>
set status enable
set usrgrp <user_group_name>
end
You also need to define a firewall policy that permits packets to pass from VPN
clients with addresses in the specified range to IP addresses that the VPN clients
need to access on the private network behind the FortiGate unit. The action for
this firewall policy is ACCEPT, not ENCRYPT, because the allowed user group is
defined in the PPTP or L2TP VPN configuration, not in the firewall policy.
For detailed information about configuring PPTP or L2TP VPNs, see “Configuring
PPTP VPNs” or “Configuring L2TP VPNs” in the
FortiGate VPN Guide
.
Note:
The commands for an L2TP VPN are the same, except that the first command is
config vpn l2tp
.