L2TP OVER IPsec配置举例

Center FGT PPTP/L2TP VPN的配置：

命令行：

config vpn ipsec phase1-interface

edit "L-O-I"

set type dynamic

set interface "wan1"

set peertype any

set proposal aes256-md5 3des-sha1 aes192-sha1

set dpd on-idle

set comments "VPN: L-O-I (Created by VPN wizard)"

set dhgrp 2

set wizard-type dialup-windows

set psksecret Fortinet123#

set dpd-retryinterval 60

end

config vpn ipsec phase2-interface

edit "L-O-I"

set phase1name "L-O-I"

set proposal aes256-md5 3des-sha1 aes192-sha1

set pfs disable

set encapsulation transport-mode

set l2tp enable

set comments "VPN: L-O-I (Created by VPN wizard)"

set keylifeseconds 3600

end

config firewall address

edit "192.168.0.0/24"

set allow-routing enable

set subnet 192.168.0.0 255.255.255.0

edit "L-O-I_range"

set type iprange

set comment "VPN: L-O-I (Created by VPN wizard)"

set start-ip 172.16.253.200

set end-ip 172.16.253.254

end

config firewall policy

edit 2

set name "vpn_L-O-I_l2tp"

set srcintf "L-O-I"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "L2TP"

set comments "VPN: L-O-I (Created by VPN wizard)"

edit 3

set name "vpn_L-O-I_remote"

set srcintf "L-O-I"

set dstintf "lan"

set srcaddr "L-O-I_range"

set dstaddr "192.168.0.0/24"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: L-O-I (Created by VPN wizard)"

set nat enable

end

L2TP OVER IPsec拨号结果验证

L2TP OVER IPsec拨号测试：

确保Windows保持默认的L2TP注册表项，Windows系统默认则是L2TP over IPsec使用IKE进行协商的，通过SetL2TP.exe工具可确认：

SetL2TP注册表工具

SetL2TP_Help_Doc

默认的模板策略下：

L2TP over IPsec只能访问内网资源 192.168.0.0/24，而去访问互联网是中断的，因为策略没有允许。

由于：

config firewall policy

edit 2

set name "vpn_L-O-I_l2tp"

set srcintf "L-O-I"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "L2TP" // 这条策略，只允许了L2TP协议，同时也没有开启SNAT，因此无法通过WAN1去访问互联网，无法ping通114.114.114.114。

set comments "VPN: L-O-I (Created by VPN wizard)"

edit 3

set name "vpn_L-O-I_remote"

set srcintf "L-O-I"

set dstintf "lan"

set srcaddr "L-O-I_range"

set dstaddr "192.168.0.0/24"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: L-O-I (Created by VPN wizard)"

set nat enable

end

解决办法：调整L-O-I到WAN1的策略：

config firewall policy

edit 2

set name "vpn_L-O-I_l2tp"

set srcintf "L-O-I"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: L-O-I (Created by VPN wizard)"

set nat enable

end

然后再次测试业务：

附：通用L2TP over IPsec VPN的配置脚本：

config vpn l2tp

set status enable

set eip 172.16.252.254

set sip 172.16.252.200

set usrgrp "Guest-group"

end

config user local

edit "guest"

set type password

set passwd 1q2w3e4r

end

config vpn ipsec phase1-interface

edit "L-O-I"

set type dynamic

set interface "wan1"

set keylife 3600

set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle

set dhgrp 14 5 2

set psksecret 1q2w3e4r

end

config vpn ipsec phase2-interface

edit "L-O-I"

set phase1name "L-O-I"

set pfs disable

set encapsulation transport-mode

set keylifeseconds 3600

end

config firewall policy

edit 0

set name "L2TP_Over_IPsec"

set srcintf "L-O-I"

set dstintf "any"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

命令行脚本中L2TP over IPsec的：

用户名：guest

密码：1q2w3e4r

预共享密钥：1q2w3e4r