【Fortinet】【Windows11】 L2TP/IPsec を使用した VPN リモートアクセス (User/Password 認証)

接続構成

画像に alt 属性が指定されていません。ファイル名: L2TP_IPSec_picture_01.png

Windows 11 端末から NAT 配下のサーバにアクセスするため、L2TP/IPsec を用いて同一の LAN セグメントに接続する。各パラメータは Windows 11 標準の VPN クライアントで利用可能なものを使用する。
この時 FortiGate のバージョンは FortiOS 6.0 を使用して設定を行なう。

※別記事と基本的に同様の構成【Cisco/VyOSの場合(Win端末設定も)】

IKE バージョンIKEv1
IKE ネゴシエーションMain Mode
暗号アルゴリズムAES256-CBC
鍵交換アルゴリズムDiffie-Hellman Group 14 (MODP 2048)
認証アルゴリズムHMAC-SHA1-96
認証方式Pre-Shared Key
キープアライブ (DPD)Disabled
NAT TraversalIKE セッションが NAT されないため該当しない
ライフタイム28800 (8時間)
MTU1454 ※ネゴシエーション後の値
FortiOS 6.0 では設定不可?
IKE ネゴシエーション (IKE Phase1)
暗号アルゴリズムAES128-CBC
認証アルゴリズムHMAC-SHA1-96
暗号プロトコルESP
通信モードTransport Mode
PFS (鍵交換アルゴリズム)無効
ライフタイム3600 (1時間)
IPsec ネゴシエーション (IKE Phase2)
通信プロトコルPPP
認証プロトコルMS-CHAPv2
払い出し IP 範囲 (IPCP)192.168.0.1 – 192.168.0.31
L2TP トンネル(IPsec内部)
IKE 暗号スイートIKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE ライフタイム28800 (8時間)
ESP 暗号スイートESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
ESP ライフタイム3600 (1時間)
MTU1300 ※ネゴシエーション後の値
Windows 11 端末側情報

FortiGate (ver 6.0系) のコンフィグ例

基本的なインタフェース部分などの設定は以下

config system switch-interface
    edit "lan"
        set vdom "root"
        set member "internal"
    next
end
config system interface
    edit "wan1"
        set vdom "root"
        set ip 10.0.0.254 255.255.255.0
        set allowaccess ping
        set type physical
        set role wan
    next
    edit "lan"
        set vdom "root"
        set ip 192.168.0.254 255.255.255.0
        set allowaccess ping https ssh
        set type switch
        set role lan
    next
    edit "internal"
        set vdom "root"
        set type hard-switch
        set stp enable
        set role lan
    next
end
config firewall address
    edit "LAN-01"
        set subnet 192.168.0.0 255.255.255.0
    next
end
config firewall policy
    edit 1
        set name "WAN1_OUT"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN-01"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end

VPN 用のローカルユーザやポリシー用の定義を作成する。

config user local
    edit "vpn-01"
        set type password
        set passwd password123
    next
end
config user group
    edit "VPN_Group-01"
        set member "vpn-01"
    next
end
config firewall address
    edit "L2TP_TUNNEL_ADDR"
        set type iprange
        set start-ip 192.168.0.1
        set end-ip 192.168.0.31
    next
end

L2TP/IPsec 用の設定を行なう。
(MTU の設定方法は不明)

config vpn ipsec phase1-interface
    edit "l2tp-tunnel1"
        set type dynamic
        set interface "wan1"
        set keylife 28800
        set peertype any
        set proposal aes256-sha1
        set dpd disable
        set comments "L2TP VPN: custom IKE"
        set dhgrp 14
        set nattraversal disable
        set psksecret secret123
    next
end
config vpn ipsec phase2-interface
    edit "l2tp-tunnel1"
        set phase1name "l2tp-tunnel1"
        set proposal aes128-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
        set comments "L2TP VPN: custom IPsec"
        set keylifeseconds 3600
    next
end
config vpn l2tp
    set status enable
    set sip 192.168.0.1
    set eip 192.168.0.31
    set usrgrp "VPN_Group-01"
end

最後に Firewall Policy にて L2TP/IPsec の通信許可を行なう。

config firewall policy
    edit 2
        set name "L2TP_IN"
        set srcintf "l2tp-tunnel1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "L2TP"
    next
    edit 3
        set name "PPP_IN"
        set srcintf "l2tp-tunnel1"
        set dstintf "lan"
        set srcaddr "L2TP_TUNNEL_ADDR"
        set dstaddr "LAN-01"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 4
        set name "PPP_OUT"
        set srcintf "lan"
        set dstintf "l2tp-tunnel1"
        set srcaddr "LAN-01"
        set dstaddr "L2TP_TUNNEL_ADDR"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
    next
end

動作確認

FortiGate 側の情報

VPN 接続後に FortiGate から確認した状態は以下。 MTU が1454 になっていることが確認出来る。

FG # diagnose vpn ike gateway list
vd: root/0
name: l2tp-tunnel1_0
version: 1
interface: wan1 6
addr: 10.0.0.254:500 -> 10.0.0.1:500
created: 2244s ago
IKE SA: created 2/2  established 2/2  time 10/10/10 ms
IPsec SA: created 2/3  established 2/3  time 0/10/20 ms

  id/spi: 22 *********************************
  direction: responder
  status: established 1922-1922s ago = 10ms
  proposal: aes256-sha1
  key: *******************************************************************
  lifetime/rekey: 28800/26607
  DPD sent/recv: 00000000/00000000

  id/spi: 21 *********************************
  direction: responder
  status: established 2244-2244s ago = 10ms
  proposal: aes256-sha1
  key: *******************************************************************
  lifetime/rekey: 28800/26285
  DPD sent/recv: 00000000/00000000
FG # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=l2tp-tunnel1_0 ver=1 serial=14 10.0.0.254:0->10.0.0.1:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/136 options[0088]=npu rgwy-chg
 parent=l2tp-tunnel1 index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=1047 olast=1 ad=/0
stat: rxp=224 txp=193 rxb=22592 txb=9142
dpd: mode=off on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=l2tp-tunnel1 proto=17 sa=2 ref=3 serial=1 transport-mode add-route
  src: 17:10.0.0.254-10.0.0.254:1701
  dst: 17:10.0.0.1-10.0.0.1:0
  SA:  ref=4 options=1a6 type=00 soft=0 mtu=1454 expire=2543/0B replaywin=1024
       seqno=4c2 esn=0 replaywin_lastseq=000000da itn=0
  life: type=01 bytes=0/0 timeout=3591/3600
  dec: spi=c2eae18b esp=aes key=16 ********************************
       ah=sha1 key=20 ****************************************
  enc: spi=87e2ee08 esp=aes key=16 ********************************
       ah=sha1 key=20 ****************************************
  dec:pkts/bytes=218/8389, enc:pkts/bytes=193/17304
  npu_flag=00 npu_rgwy=10.0.0.1 npu_lgwy=10.0.0.254 npu_selid=f
  SA:  ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=2259/0B replaywin=1024
       seqno=401 esn=0 replaywin_lastseq=00000001 itn=0
  life: type=01 bytes=0/0 timeout=3589/3600
  dec: spi=c2eae18a esp=aes key=16 ********************************
       ah=sha1 key=20 ****************************************
  enc: spi=3f6d50ee esp=aes key=16 ********************************
       ah=sha1 key=20 ****************************************
  dec:pkts/bytes=1/28, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=10.0.0.1 npu_lgwy=10.0.0.254 npu_selid=f
------------------------------------------------------
name=l2tp-tunnel1 ver=1 serial=a 10.0.0.254:0->0.0.0.0:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/8 options[0008]=npu
proxyid_num=0 child_num=1 refcnt=4 ilast=1413 olast=1413 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=off on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=1
ipv4 route tree:
10.0.0.1->10.0.0.1 0

Windows 11 端末側の情報

Windows 11 側の状態は以下。 MTU が 1300 になっていることが確認出来る。

PS > Get-NetIPsecMainModeSA
Name                                : 14
LocalEndpoint                       : 10.0.0.1
RemoteEndpoint                      : 10.0.0.254
LocalFirstId.Identity               :
LocalFirstId.ImpersonationType      : None
LocalFirstId.AuthenticationMethod   : PresharedKey
LocalFirstId.Flags                  : None
RemoteFirstId.Identity              :
RemoteFirstId.ImpersonationType     : None
RemoteFirstId.AuthenticationMethod  : PresharedKey
RemoteFirstId.Flags                 : None
LocalSecondId.Identity              :
LocalSecondId.ImpersonationType     :
LocalSecondId.AuthenticationMethod  :
LocalSecondId.Flags                 :
RemoteSecondId.Identity             :
RemoteSecondId.ImpersonationType    :
RemoteSecondId.AuthenticationMethod :
RemoteSecondId.Flags                :
CipherAlgorithm                     : AES256
HashAlgorithm                       : SHA1
GroupId                             : DH14
KeyModule                           : IkeV1
MaxQMSAs                            : 0
LifetimeSeconds                     : 28800
LocalUdpEncapsulationPort           :
RemoteUdpEncapsulationPort          :
ExtendedFilterId                    : 0
PS > Get-NetIPsecQuickModeSA
Name                       : 17
LocalEndpoint              : 10.0.0.1
RemoteEndpoint             : 10.0.0.254
TransportLayerFilterName   : L2TP Client Specific Filter
EncapsulationMode          : Transport
Direction                  : Inbound
LocalPort                  : 1701
RemotePort                 : 1701
IpProtocol                 : 17
InterfaceAlias             : USB-LAN
RealIfProfileId            : 0
LocalUdpEncapsulationPort  :
RemoteUdpEncapsulationPort :
SPI                        : 2279796232
FirstTransformType         : EspAuthAndCipher
FirstIntegrityAlgorithm    : SHA1
FirstCipherAlgorithm       : AES128
SecondSpi                  :
SecondTransformType        : None
SecondIntegrityAlgorithm   : None
SecondCipherAlgorithm      : None
Flags                      : NoExplicitCredMatch, AllowNullTargetNameMatch
MmSaId                     : 14
PfsGroupId                 : None
PeerV4PrivateAddress       : 0.0.0.0
QuickModeFilterid          : 81170
LifetimeSeconds            : 3600
LifetimeKilobytes          : 250000
LifetimePackets            : 2147483647
IdleDurationSeconds        : 300
NdAllowClearTimeoutSeconds : 0
NapContext                 : 0
QmSaId                     : 1250073476
VirtualIfTunnelId          : 0
TrafficSelectorId          : 0
MmTargetName               :
EmTargetName               :
ExplicitCredentials        :

Name                       : 17
LocalEndpoint              : 10.0.0.1
RemoteEndpoint             : 10.0.0.254
TransportLayerFilterName   : L2TP Client Specific Filter
EncapsulationMode          : Transport
Direction                  : Outbound
LocalPort                  : 1701
RemotePort                 : 1701
IpProtocol                 : 17
InterfaceAlias             : 0
RealIfProfileId            : 0
LocalUdpEncapsulationPort  :
RemoteUdpEncapsulationPort :
SPI                        : 3270173067
FirstTransformType         : EspAuthAndCipher
FirstIntegrityAlgorithm    : SHA1
FirstCipherAlgorithm       : AES128
SecondSpi                  :
SecondTransformType        : None
SecondIntegrityAlgorithm   : None
SecondCipherAlgorithm      : None
Flags                      : NoExplicitCredMatch, AllowNullTargetNameMatch
MmSaId                     : 14
PfsGroupId                 : None
PeerV4PrivateAddress       : 0.0.0.0
QuickModeFilterid          : 81170
LifetimeSeconds            : 3600
LifetimeKilobytes          : 250000
LifetimePackets            : 2147483647
IdleDurationSeconds        : 300
NdAllowClearTimeoutSeconds : 0
NapContext                 : 0
QmSaId                     : 1250073476
VirtualIfTunnelId          : 0
TrafficSelectorId          : 0
MmTargetName               :
EmTargetName               :
ExplicitCredentials        :
PS > Get-NetIPInterface -ifIndex 57 | Format-List
InterfaceIndex                  : 57
InterfaceAlias                  : forti-vpn-01
CompartmentId                   : 1
AddressFamily                   : IPv4
Forwarding                      : Disabled
ClampMss                        : Disabled
Advertising                     : Disabled
NlMtu(Bytes)                    : 1300
AutomaticMetric                 : Enabled
InterfaceMetric                 : 25
NeighborDiscoverySupported      : No
NeighborUnreachabilityDetection : Disabled
BaseReachableTime(ms)           : 30000
ReachableTime(ms)               : 41500
RetransmitTime(ms)              : 1000
DadTransmits                    : 0
DadRetransmitTime(ms)           : 1000
RouterDiscovery                 : ControlledByDHCP
ManagedAddressConfiguration     : Enabled
OtherStatefulConfiguration      : Enabled
WeakHostSend                    : Disabled
WeakHostReceive                 : Disabled
IgnoreDefaultRoutes             : Disabled
AdvertisedRouterLifetime        : 00:30:00
AdvertiseDefaultRoute           : Disabled
CurrentHopLimit                 : 0
ForceArpNdWolPattern            : Disabled
DirectedMacWolPattern           : Disabled
EcnMarking                      : AppDecide
Dhcp                            : Disabled
ConnectionState                 : Connected
PolicyStore                     : ActiveStore

【参考URL】
FortiOS 6.0.0 CLI Reference
FortiGateでVPN(L2TP/IPsec)を設定しよう