FortiGate - Create a L2TP VPN for Windows

  • Updated on Apr 28, 2026
  • Published on Apr 28, 2026
  • 5 minute(s) read
Prev Next

This guide covers the creation of a native L2TP connection for Windows.

Every step of the process is covered:

  • Creating a User Group and assigning Users

  • Creation of an L2TP IPsec VPN tunnel

  • Configuring the native L2TP tunnel in Windows VPN settings

Creating a User Group and assigning Users

To ensure secure access, you will start this process by creating a User Group and Users that you wish to have access to your FortiClient VPN.

Creating the User Group

  1. Navigate to the following area: “User & Authentication” > “User Groups

image-20260318-230601.png

  1. Enter a descriptive “Name”, leave the Type as Firewall, and press the “OK button:

image-20260319-004030.png

Create and assign users to the group

  1. On the “User Groups” tab, double-click on your newly created group to edit it:

  2. Now that we are in the “Edit User Group” menu, you can press the ‘+’ button next to “Members” to begin creating and assigning users:

  3. We can create our Users in the box that pops up by using the “+ Create” button:

  4. Select “+ User”:

  5. On the “Users/Groups Creation Wizard”, leave the User Type as “Local User” and click “Next”:

  6. Enter a Username and Password under the “Login Credentials” tab:

  7. Leave “Two-Factor Authentication” disabled and click “Next”:

  8. On the “Extra Info” tab, leave the “User Account Status” set as enabled.
    Press “Submit”:

  9. This process can be repeated as many times as you want for additional users, or you can create multiple users and attach them all to the User Group.
    Now that your users are created, you can click on the created User under the “Select Entries” pane. You will see that the user has appeared under the “Members” section of the User Group. You can now press “OK”:

  10. You can see that the User is listed as an active Member of the “L2TP VPN” Group:

Creating an L2TP connection for Windows VPN

  1. Log in to your existing FortiGate Firewall product and go to the following tab: =
    VPN > IPsec Wizard.

  2. Put a descriptive “Name” for the VPN in place > Select “Remote Access” > Select “Native” > Select “Windows Native” and press “Next”:

  3. Select your “Incoming Interface” for the connection. This will, as a standard, be VDOMNAME_wan.
    In our example, this is “CE089_wan1”. You can reference your VDOM name as shown in the screenshot.

    Leave the “Authentication method” set to “Pre-shared Key” and enter a complex one.
    I would recommend using a password generator and setting the key to 24 characters or more.

    Select the “User Group” we created earlier within this guide and press “Next”:

  4. Select the “Local Interface” as the LAN interface. This interface can be identified, as it will have a name similar to the following: VDOM_lan(VLANXXXX).

    In this example, we will select our VDOM LAN interface: “CE089_lan (VLAN3224)”.

    You will need to denote your “Local Address” range. In our example, the range has been selected as “all” under the “ADDRESS” dropdown. You can also have specific ranges put in place via an “Address” containing the IP Range or IP Ranges that you wish the VPN to have access to:

  5. You will now need to assign a “Client Address Range” and a Subnet Mask.

    1. Enter an uncommon private IP range to utilise.
      In my example, I will go with 192.168.123.1 to 192.168.123.254.
      Confirm this range does not overlap with your personal computer's existing IP range! The range entered must be separated by a “-”.

    2. Once you have entered the “Client Address Range” and “Subnet Mask” you can press “Next” as shown in the example below:

  6. On the “Review Settings” tab, ensure all of your settings are correct and press “Create”:

    This will create a firewall policy for the IP range that you designated during creation. This will allow your chosen IP range access to talk to the wider internet.

Creating your SNAT Rule

A SNAT rule will need to be created to allow connectivity outbound for the VPN so that you can access the internet.

  1. This can be done via the “Policy & Objects” under the “Central SNAT” tab. You will press “Create New” to proceed:

  2. You will use the following configuration settings:

    • Incoming Interface: This is NOT the name of the L2TP VPN you created, which can cause confusion. Select the l2t.vd_XXXXX interface, where the XXXXX is representative of your VDOM as seen in the top right of your screen.

    • Outgoing Interface: Select your WAN interfaces for the Outgoing Interface. The name will be similar to XXXXX_wan.

    • Source Address: Specify the range you designated in the L2TP VPN configuration, which can be found by searching the L2TP VPN name and selecting it. It will have a naming convention similar to the following: “VPNNAME_range”.

    • Destination Address: Specify the IP range you want to hit on the internet, or set the value to “all”.

An example of a configuration is below. Once you have entered all settings, you can then press “OK”:

Configuring your L2TP VPN

  1. Click on the Start button in Windows and search “VPN”, and click on “VPN Settings”:

  2. Under the VPN page, you want to click “Add a VPN connection”:

  3. Select the options shown below:

    1. VPN provider: Windows (built-in).

    2. Connection Name: A descriptive name for your VPN.

    3. Server name or address: The IP of the FortiGate VPN endpoint. This address can be referenced from the IP that shows in your browser’s address bar when you access your FortiGate firewall.

    4. VPN type: L2TP/IPsec with pre-shared key.

    5. Pre-shared key: The value will be the pre-shared key you put in place when creating the L2TP VPN above.

    6. Type of sign-in info: User name and password.

    7. User name: The user name of a user you created in the above steps.

    8. Password: The password for the associated user.

    You can choose to leave “Remember my sign-in info” ticked if you want these credentials saved.

    An example configuration is shown below:

  4. Once you have hit “Save” you can now connect to your newly created L2TP VPN by clicking on its name and pressing “Connect”:



  5. Your initial “Connect” action will request that you enter your credentials again. These credentials will be saved after being entered once. Enter your username and password and press “OK”:

  6. Your L2TP VPN will now show as connected, and you will now be on your VPN:

Securing your L2TP VPN

We have created a follow on guide if you wish to further secure your L2TP connection to run on newer protocols. Click on the following link to find out more:

FortiGate - Securing your Windows L2TP tunnel