Configuring L2TP, 209 | Fortinet 50A guide

PPTP and L2TP VPN	Configuring L2TP

Configuring L2TP

Some implementations of L2TP support elements of IPSec. These elements must be disabled when L2TP is used with a FortiGate unit.

Note: L2TP VPNs are only supported in NAT/Route mode.

This section describes:

•Configuring the FortiGate unit as an L2TP gateway

•Configuring a Windows 2000 client for L2TP

•Configuring a Windows XP client for L2TP

Configuring the FortiGate unit as an L2TP gateway

Use the following procedures to configure the FortiGate unit as an L2TP gateway:

To add users and user groups

Add a user for each L2TP client.

1Go to User > Local.

2Add and configure L2TP users.

See “Adding user names and configuring authentication” on page 172.

3Go to User > User Group.

4Add and configure L2TP user groups.

See “Configuring user groups” on page 177.

To enable L2TP and specify an address range

1Go to VPN > L2TP > L2TP Range.

2Select Enable L2TP.

3Enter the Starting IP and the Ending IP for the L2TP address range.

4Select the User Group that you added in “To add users and user groups” on page 209.

5Select Apply to enable L2TP through the FortiGate unit.

FortiGate-50A Installation and Configuration Guide

209

Image 209

Fortinet 50A user manual Configuring L2TP, Configuring the FortiGate unit as an L2TP gateway, 209

Contents

February Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents NAT/Route mode NAT/Route mode and Transparent modeTransparent mode Introduction Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents Connecting to the web-based manager Powering onEnvironmental specifications To power on the FortiGate-50A unit To connect to the web-based manager Connecting to the command line interface CLI Stop bits Flow control To connect to the CLIBits per second Data bits Parity Factory default Dhcp configuration Factory default FortiGate configuration settings Factory default firewall configuration Factory default NAT/Route mode network configurationFactory default Transparent mode network configuration Service Factory default firewall configuration RecurringAuthentication Content Strict content profile Options Factory default content profilesStrict content profile Web content profile Scan content profileScan content profile Options Web content profile Options Unfiltered content profile Options Planning the FortiGate configurationUnfiltered content profile Setup wizard Configuration options CLI FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Next steps Getting started NAT/Route mode installation Internal servers Preparing to configure NAT/Route modeChanging the default configuration Advanced NAT/Route mode settings Using the setup wizardStarting the setup wizard Reconnecting to the web-based manager Configuring the FortiGate unit to operate in NAT/Route mode Using the command line interfaceConfiguring NAT/Route mode IP addresses Example Internal Connecting the FortiGate unit to your networksFortiGate-50A External Completing the configuration Configuring your networksSetting the date and time Changing antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Completing the configuration Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS Settings Go to System Status Changing to Transparent mode Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Connecting the FortiGate unit to your networks Go to Firewall Policy Int-Ext Enabling antivirus protectionRegistering your FortiGate Default routes and static routes Transparent mode configuration examples Default route to an external network General configuration steps CLI configuration steps Web-based manager example configuration stepsGo to System Network Management Go to System Network Routing DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Changing the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System Status Upgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLI Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu To test a new firmware image Restoring the previous configurationTesting a new firmware image before installing it Save as Default firmware/Run image without savingD/R Manual attack definition updates Manual virus definition updatesTo update the antivirus definitions manually To update the attack definitions manually Restoring system settings Backing up system settingsDisplaying the FortiGate serial number Displaying the FortiGate up time To change to Transparent mode Go to System Status Restoring system settings to factory defaultsChanging to Transparent mode To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit To view CPU and memory status Go to System Status Monitor System statusViewing CPU and memory status CPU and memory status monitor Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status To view the session list Go to System Status Session Session list Example session list Protocol Session list Updating antivirus and attack definitions Virus and attack definitions updates and registration Go to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates Configuring update logging Scheduling updatesEnabling scheduled updates To configure update logging Go to Log&Report Log Setting Adding an override server To add an override server Go to System Update Enabling scheduled updates through a proxy server Enabling push updates Push updates when FortiGate IP addresses change Enabling push updatesEnabling push updates through a NAT device To enable push updates Go to System Update Example network topology Push updates through a NAT device Example push updates through a NAT device General procedure Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept Registering FortiGate units Example push update configuration FortiCare Service Contracts Registering the FortiGate unit Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit Changing your contact information or security question Changing your Fortinet support password Downloading virus and attack definition updates Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Configuring interfaces Network configuration Configuring an interface with a manual IP address Changing the administrative status of an interfaceTo stop an interface that is administratively up Viewing the interface list Connecting Configuring an interface for DhcpInitializing Connected Adding a secondary IP address to an interface Configuring an interface for PPPoE Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode Adding a default route Configuring routingAdding DNS server IP addresses 100 101 Adding destination-based routes to the routing table 102 Adding routes in Transparent modeConfiguring the routing table 103 Policy routing Policy routing command syntax Configuring Dhcp servicesConfiguring a Dhcp relay agent 104 Adding a Dhcp server to an interface Configuring a Dhcp serverAdding scopes to a Dhcp server 105 106 Adding a reserve IP to a Dhcp serverScope Name IP Pool 107 Configuring the modem interfaceViewing a Dhcp server dynamic IP list Configuring modem settings Connecting a modem to the FortiGate unitTo configure modem settings Go to System Network Modem 108 Disconnecting the modem Connecting to a dialup account109 To connect to a dialup account Go to System Network Modem Standalone mode configuration Backup mode configurationTo configure backup mode Go to System Network Modem Viewing modem status 111 To operate in standalone mode Go to System Network ModemAdding firewall policies for modem connections 112 113 RIP configurationRIP settings Flush InvalidHolddown 115 Configuring RIP for FortiGate interfaces 116 Adding a RIP filter list Adding RIP filters117 To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter 119 Assigning a RIP filter list to the outgoing filter 120 Setting system date and time System configurationTo set the date and time Go to System Config Time 121 To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 122 123 Adding and editing administrator accountsModifying the Dead Gateway Detection settings Editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 124 125 Configuring SnmpTo edit an administrator account Go to System Config Admin Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settings System Location 127System Name 128 FortiGate MIBs General FortiGate traps FortiGate trapsSystem traps 129 130 Firewall configuration System configuration and statusUsers and authentication configuration 131 132 133 Replacement messagesCustomizing replacement messages 134 Customizing alert emails Nids event 135 Critical event 136 137 Firewall configuration 138 Default firewall configurationAddresses Content profiles ServicesSchedules 139 140 Adding firewall policies 141 Action Traffic Shaping VPN Tunnel142 Dynamic IP Pool Fixed Port Anti-Virus & Web filter Authentication143 Maximum Bandwidth Traffic Priority Log Traffic Configuring policy listsComments 144 145 Policy matching in detailChanging the order of policies in a policy list Enabling and disabling policies AddressesDisabling policies Enabling policies To add an address Go to Firewall Address Adding addresses147 Deleting addresses Editing addressesOrganizing addresses into address groups 148 149 ServicesPredefined services GRE 150 Ldap 151 152 Adding custom TCP and UDP services Adding custom IP services Adding custom Icmp servicesGrouping services 153 154 Schedules 155 Creating one-time schedulesCreating recurring schedules 156 Adding schedules to policies To add a schedule to a policy Go to Firewall Policy Virtual IPs157 158 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal 159 Adding port forwarding virtual IPs Adding a port forwarding virtual IP 160 Adding policies with virtual IPs IP pools161 To add a policy with a virtual IP Go to Firewall Policy IP Pools for firewall policies that use fixed ports Adding an IP poolIP pools and dynamic NAT 162 Go to Firewall IP/MAC Binding Static IP/MAC IP/MAC binding163 164 Configuring IP/MAC binding for packets going to the firewall Viewing the dynamic IP/MAC list Adding IP/MAC addressesEnabling IP/MAC binding 165 166 Content profiles Adding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 167 Oversized File/Email Pass Fragmented Email 168 169 Adding content profiles to policiesTo add a content profile to a policy Go to Firewall Policy 170 171 Users and authentication Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options 173 Deleting user names from the internal database Adding Radius servers Configuring Radius supportDeleting Radius servers 174 Adding Ldap servers Configuring Ldap support175 To add an Ldap server Go to User Ldap To delete an Ldap server Go to User Ldap Deleting Ldap servers176 Adding user groups Configuring user groups177 To add a user group Go to User User Group To delete a user group Go to User User Group Deleting user groups178 179 IPSec VPN Manual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 181 182 AutoIKE IPSec VPNsAES128 AES192 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNTo create an AutoIKE VPN configuration To add a phase 1 configuration Go to VPN Ipsec Phase Remote Gateway Dialup User 184Remote Gateway Static IP Address 185 Configuring advanced optionsTo configure phase 1 advanced options 186 187 Adding a phase 1 configuration Standard options 188 Adding a phase 2 configuration for an AutoIKE VPNTo add a phase 2 configuration Go to VPN Ipsec Phase Use wildcard selectors 189Use selectors from policy Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 190 Key Size 191Key Type Importing the signed local certificate Downloading the certificate requestObtaining CA certificates 192 193 Configuring encrypt policiesImporting CA certificates Adding a destination address Adding a source address194 To add a source address Go to Firewall Address To add an encrypt policy Go to Firewall Policy Adding an encrypt policy195 196 IPSec VPN concentrators 197 VPN concentrator hub general configuration stepsTo create a VPN concentrator configuration Source InternalAll Destination VPN spoke address Action Adding a VPN concentrator198 199 VPN spoke general configuration stepsTo create a VPN spoke configuration Policies 200VPN Tunnel To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status 202 Testing a VPN Configuring the FortiGate unit as a Pptp gateway Configuring PptpPptp and L2TP VPN 203 To add a source address 204 To add a source address group 205To add a destination address To add a firewall policy To connect to the Pptp VPN Configuring a Windows 98 client for Pptp206 207 Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp Select Properties Security To configure the VPN connection208 209 Configuring L2TPConfiguring the FortiGate unit as an L2TP gateway To add source addresses 210 211 Configuring a Windows 2000 client for L2TP To connect to the L2TP VPN To disable IPSec212 213 Configuring a Windows XP client for L2TP 214 215 Network Intrusion Detection System NidsDetecting attacks Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 216 217 Viewing the signature listViewing attack descriptions 218 Disabling Nids attack signaturesAdding user-defined signatures 219 Downloading the user-defined signature list Preventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures 221 Setting signature threshold values Logging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction 223 Manual message reduction 224 225 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning226 Blocking files in firewall traffic File blockingAdding file patterns to block 227 Blocking oversized files and emails Configuring limits for oversized files and emailExempting fragmented email from blocking 228 229 To view the virus list Go to Anti-Virus Config Virus ListViewing the virus list 230 231 Web filtering Go to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 232 Backing up the Banned Word list Clearing the Banned Word listRestoring the Banned Word list 233 Example Banned Word List text file 234 URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 235 Downloading the Web URL block list Clearing the Web URL block listUploading a URL block list 236 To upload a URL block list Configuring FortiGate Web pattern blocking237 Installing a Cerberian license key Configuring Cerberian URL filteringAdding a Cerberian user 238 About the default group and policy Configuring Cerberian web filterTo configure Cerberian web filtering Enabling Cerberian URL filtering Enabling script filtering Script filteringSelecting script filter options 240 Adding URLs to the URL Exempt list Exempt URL list241 Go to Web Filter URL Exempt 242 Downloading the URL Exempt ListUploading a URL Exempt List 243 244 245 Email filter 246 Email banned word listAdding words and phrases to the email banned word list 247 Downloading the email banned word listUploading the email banned word list Adding address patterns to the email block list Email block listDownloading the email block list 248 Uploading an email block list Email exempt list249 To upload the email block list Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 250 Recording logs Logging and reportingRecording logs on a remote computer 251 252 Recording logs on a NetIQ WebTrends server Filtering log messages To filter log entries Go to Log&Report Log SettingLog message levels 253 254 Configuring traffic logging Enabling traffic logging Configuring traffic filter settingsEnabling traffic logging for an interface Enabling traffic logging for a firewall policy 256 Destination IP Address Destination Netmask ServiceAdding traffic filter entries Adding alert email addresses Configuring alert email257 To add a DNS server Go to System Network DNS 258 Testing alert emailEnabling alert email 259 Glossary 260 261 262 263 Index Index 264 DNS 265 Http 266 NAT 267 268 RMA 269 TCP 270 VPN 271 272