Android L2TP/IPSec VPN to Fortigate Firewall Endpoint

Veröffentlicht von

Copied from Google-Cache since his page is not online anymore.

MartinHengst wrote:

I love my Android phone and I wanted to be able to use it to connect to the firewall I have at my office. I did a little digging but was unable to find any tutorial on how to get it configured to work correctly. So through a little trial and error and some referencing of the Fortigate VPN Administrator’s guide, I was able to come up with the following procedure.

Although this is a rather specific case, I figured I’d document it here in the event that there is anyone else out there who is trying to establish a VPN connection between an Android phone and a Fortigate firewall. The configuration I’m going to share is going to be entirely command line for the firewall for three reasons:

  1. You should know how to configure the firewall from the command line.
  2. There are some things that can ONLY be configured from the command line, L2TP is one of them.
  3. Its way more geeky this way.

Although this config is for a specific family of devices, in this case, Fortigate firewalls, hopefully it will serve as a jumping off point for people who are attemping to get the Android VPN client working with their own hardware. Now on with the show.

Note: The following configuration is for a Fortigate device running v4.0 of the OS at a patch level of MR2. While these commands may not be specific to that version of the OS, its entirely possible that they are. It would be a good idea to update your firmware to the latest available before attempting this configuration.

First things first. Since L2TP requires a remote user to authenticate, we need to setup a new Group and User on the firewall for our VPN configuration. Go ahead and SSH into the command line and execute the following commands (note that my variables will be in bold, change these to suit your needs):

config user local
edit newuser
set type password
set passwd "yourpassword"
set status enable

Now you want to create a Group for the user you just created, so do the following:

config user group
edit L2TP
set group-type firewall
set member newuser

Now that we’ve finished with the pre-requisites, we can move onto the actual configuration.

Fortigate firewalls are problematic at times because there are certain things you simply can’t do from the web interface. The only way to configure certain parameters is via the command line interface, and L2TP is a prime example of this idiosyncrasy. You can look for the L2TP options in the web interface until the cows come home, but it won’t do you any good.

Configuring L2TP:

In order to configure L2TP, you need to decide what IP addresses on the local network you want to dedicate to the dial-in VPN clients. The first address in the range is the sip address in the configuration below, the last address is the eip. You’ll also want to assign the group we created earlier to the VPN, like so:

config VPN l2tp
set sip
set eip
set status enable
set usrgrp "L2TP"

Additionally, because we’re going to set up a policy later that requires the IPs that will be assigned to the clients, we want to create an IP address range record.

config firewall address
edit "L2TP Clients"
set type iprange
set start-ip
set end-ip

Now we need to configure an IPSec tunnel for encryption. Its important to note that L2TP requires transport mode, instead of tunnel mode, which is, I believe, another one of those things that can only be set on the Fortinet command line. It also bears mentioning that the VPN administration guide states that L2TP over IPSec is only supported on policy-based VPNs.

So let’s configure Phase 1 of our IPSec tunnel:

config VPN ipsec phase1
edit "Dial-In VPN"
set type dynamic
set interface wan1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
set dpd enable

Now let’s configure a Phase 2 to go with our Phase 1:

config VPN ipsec phase2
edit "Dial-In VPN"
set phase1name "Dial-In VPN"
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode

Now remember how I said we need to set it to transport mode instead of tunnel mode? We’re going to do that now:

config VPN ipsec phase2
edit "Dial-In VPN"
set encapsulation transport-mode

That’s it. The basic building blocks of the VPN are now in place. However, the VPN without policies is only half the configuration. Now we need to get the IPSec policy and the access control policy set up. We’ll do that now.

Here’s the configuration for the IPSec policy that establishes the VPN connection:

config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service ANY
set inbound enable
set outbound enable
set vpntunnel "Dial-In VPN"

And finally, here’s the policy that will allow the IP addresses assigned to the remote clients to connect to the rest of the network:

config firewall policy
edit 0
set srcintf wan1
set dstintf internal
set srcaddr "L2TP Clients"
set dstaddr all
set action accept
set schedule always
set service ANY

That completes the configuration on the firewall side. Now its just a simple matter of plugging the appropriate information into the Android VPN interface. Here are the steps to configure the phone VPN client:

  1. Go to Settings -> Wireless & Networks -> VPN Settings
  2. Tap Add VPN
  3. Tap Add L2TP/IPSec PSK VPN
  4. Set the VPN Name to whatever you like
  5. Set VPN Server to the hostname of your firewall (either via a static DNS name, or dynamic DNS)
  6. Set IPSec pre-shared key to the key you set in the previous step (set psksecret ******** <-this one)
  7. Tap the Menu Key, Tap Save

Once that’s complete, tap on the VPN name and input the user name and password you created way back at the very first step. Click OK, and if all goes well, you’ll be connected to your very own VPN back to your firewall.

I’ve found this method to be very stable. So far I’ve tested SSH, RDP, and VNC over the VPN and it seems to be nearly as fast as an unsecured connection over 3G.

That’s all there is to it. I hope this helps someone who has been banging their head against the wall trying to make this work.


Hint: Make sure that you’re setting the encapsulation mode from the command line. Unless they’ve made signifigant changes to the GUI since the time I originally posted this, the command line is the only way to set the encapsulation mode for an L2TP tunnel.


Some comments:

Here’s where your command line troubleshooting utilities are really going to come into play. Open a console to the firewall and do the following:

diag debug app ike 9

diag debug enable

That will let you watch the tunnel build for the vpn. It should give you an idea of what’s going wrong, and where.