Microsoft LT2P/IPsec VPN with Loopback Interface?

Author
padraig2392
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/28 07:46:06
  • Status: offline
2019/09/02 06:08:27 (permalink)
0

Microsoft LT2P/IPsec VPN with Loopback Interface?

Hello,
 
I was wondering if anyone has had any experience with setting up a dial-up Microsoft VPN (L2TP/IPsec) VPN with a loopback interface instead of specifying a physical WAN interface?
 
My configuration:
 
L2TP:
config vpn l2tp
set eip 192.168.55.250
set sip 192.168.55.1
set status enable
set usrgrp "Test"
 
IPsec Phase 1:
config vpn ipsec phase1
edit "winvpn"
set type dynamic
set interface "lo_vpn"
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set psksecret ENC xxxxxxx
 
IPsec Phase 2:
config vpn ipsec phase2
edit "winvpn"
set phase1name "winvpn"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set keylifeseconds 3600
next
end
 
Security and IPsec policy:
edit 25 (To allow L2TP, ICMP, and IPsec to hit the loopback interface)
set name "lo_winvpn"
set srcintf "wan1"
set dstintf "lo_vpn"
set srcaddr "all"
set dstaddr "lo_winvpn"
set action accept
set schedule "always"
set service "AH" "ALL_ICMP" "ESP" "GRE" "IKE" "L2TP"
next
edit 26
set name "ipsec_winvpn"
set srcintf "internal"
set dstintf "lo_vpn"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set vpntunnel "winvpn"
next
edit 27
set name "winvpn"
set srcintf "lo_vpn"
set dstintf "internal"
set srcaddr "windowsvpn_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
 
I followed the following guide:
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/L2TP_and_IPsec/Config_FGT_Unit.htm
The public IP address associated with the loopback interface is a routable IP address which responds to ICMP.
Performing a tcpdump on the firewall I can see communication between the client and server over ports 4500, 500, and 1701 although the connection does not establish.
 
Performing the following debug commands also doesn't provide any output when I try to establish the VPN:
diagnose debug application ike -1
diagnose debug application l2tp -1
diagnose debug enable
 
I have also enabled IPsec services on Windows and the error I receive on Windows is "Error 809" which indicates the remote server isn't responding?
 
Any help would be appreciated :)
#1

2 Replies Related Threads

    sevoda
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/07 08:14:12
    • Status: offline
    Re: Microsoft LT2P/IPsec VPN with Loopback Interface? 2019/09/07 08:17:57 (permalink)
    0
    Hi buddy, sorry for bumping the thread. But facing kind of same issue, did you get any way out as of now?
     
    Regards,
    Hahu Smith
    #2
    padraig2392
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/28 07:46:06
    • Status: offline
    Re: Microsoft LT2P/IPsec VPN with Loopback Interface? 2019/09/11 12:35:41 (permalink)
    0
    Hi Hahu,
     
    Couldn't get it working utilising a loopback IP address. Packet captures on the FortiGate showed communication between the remote client and loopback address going back and forth over the relevant ports but never established successfully.
     
    Due to constraints on time and needing to move with other projects I ended up adding a secondary IP address to the customer's WAN interface and binding that interface/IP to the dial-up VPN using the "Secondary address option" which connected instantly. 
     
    I've set up numerous IPsec VPNs using loopback IP addresses and have worked straight away, although the L2TP over IPsec just wouldn't work...hopefully some Fortinet Guru on these forums can shed some light ;) 
     
    I wouldn't mind trying to assist you with trying to get it fixed though if needed. Feel free to drop your configs on the post or feel free to DM me. 
     
    Thanks,
    Pàdraig
     
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5