268
01-28006-0100-20041105
Fortinet Inc.
L2TP
VPN
Setting up a L2TP-based VPN
To set up a L2TP VPN, you must configure both the FortiGate unit and the remote
Windows client.
To create an L2TP VPN configuration
1
Add a user group to the FortiGate unit.
The L2TP clients must be authenticated before being allowed to start a VPN tunnel.
To enable authentication, you must add a user group to the FortiGate unit. Within the
user group, add a user for each L2TP client. You can add users to the FortiGate user
database, to authentication servers (RADIUS or LDAP), or to both. See
“Users and
authentication” on page 237
.
2
Enable L2TP and specify a L2TP address range.
The L2TP address range is the range of addresses reserved for remote L2TP clients.
When a remote L2TP client connects to the internal network using L2TP, the client
computer is assigned an IP address from this range. The L2TP address range can be
on any subnet. See
“Enabling L2TP and specifying an L2TP range” on page 268
.
3
Add a source address.
The source address is the L2TP range. See
“To add an address” on page 204
.
4
Add a destination address.
The destination address is the address to which the L2TP clients can connect. For
example, if the destination address is on the internal network, you would create an
external-to-internal policy to control the access that L2TP users have through the
FortiGate unit. Typically you would add only one destination address, for the entire
internal subnetwork. See
“To add an address” on page 204
.
5
Add an external-to-internal firewall policy.
The firewall policy specifies the source and destination addresses and sets the
service for the policy to the traffic type inside the L2TP VPN tunnel. For example, if
you want L2TP clients to be able to access a web server, set the service to HTTP.
See
“To add a firewall policy” on page 200
.
6
Configure the Windows client. See:
•
Configuring a Windows 2000 client for L2TP
.
•
Configuring a Windows XP client for L2TP
.
Enabling L2TP and specifying an L2TP range
The L2TP address range is the range of addresses reserved for remote L2TP clients.
When a remote Windows client connects to the internal network using L2TP, the client
computer is assigned an IP address from this range. The L2TP address range can be
on any subnet.
Summary of Contents for FortiGate FortiGate-500A
Page 24: ...24 01 28006 0100 20041105 Fortinet Inc Customer service and technical support Introduction...
Page 46: ...46 01 28006 0100 20041105 Fortinet Inc Changing the FortiGate firmware System status...
Page 72: ...72 01 28006 0100 20041105 Fortinet Inc FortiGate IPv6 support System network...
Page 80: ...80 01 28006 0100 20041105 Fortinet Inc Dynamic IP System DHCP...
Page 110: ...110 01 28006 0100 20041105 Fortinet Inc FortiManager System config...
Page 116: ...116 01 28006 0100 20041105 Fortinet Inc Access profiles System administration...
Page 134: ...134 01 28006 0100 20041105 Fortinet Inc Shutdown System maintenance...
Page 248: ...248 01 28006 0100 20041105 Fortinet Inc CLI configuration Users and authentication...
Page 324: ...324 01 28006 0100 20041105 Fortinet Inc CLI configuration Antivirus...
Page 386: ...386 01 28006 0100 20041105 Fortinet Inc Glossary...
Page 394: ...394 01 28006 0100 20041105 Fortinet Inc Index...