Skip to main content
ctan
Staff
ctan
Staff
October 11, 2021

Technical Tip: Client network lost connectivity when FortiClient is connecting to IPsec dialup to FortiGate

  • October 11, 2021
  • 0 replies
  • 4813 views
Description This article describes how to prevent the client machine's network connection from disconnecting when connecting FortiClient to an IPsec dial-up.
Scope FortiClient, FortiClient EMS.
Solution

When FortiClient is connecting to IPsec, the network will be disconnected, and FortiClient only allows traffic for IPsec protocol UDP 500 and 4500, and all other traffic will be blocked. 

 

If it is not possible to afford, even a short disconnection on the client machine, it will be necessary to change 2 configurations on the FortiClient to allow all traffic to go through during IPsec dial-up. 

 

This is an expected behavior because the FortiClient only allows traffic from IPsec UDP ports 500 and 4500 as a security feature in the IPsec protocol.

 

Note: This change has to be done via an XML file or directly in the remote access profile in FortiClient EMS.

 

  1. On the client machine, launch the FortiClient and unlock with administrator rights by selecting the 'Lock' icon and entering the administrator password as required when prompted.

    kb_20803_1.png

     

    kb_20803_2.png

     

  2. Select the 'settings' icon, and back up the FortiClient configuration, select the destination.

    kb_20803_3.png

     

  3. Open the saved XML configuration file (.conf) and look for <implied_SPDO> and <implied_SPDO_timeout>. Make sure to edit the desired IPsec connection, as each IPsec connection will have its own <implied_SPDO> and <implied_SPDO_timeout> configuration.

 

Example:
 
<name>Dialup IPsec 01</name> 
... 
<ike_settings> 
<version>1</version> 
<implied_SPDO>0</implied_SPDO> 

<implied_SPDO_timeout>0</implied_SPDO_timeout> 

... 
 
  1. Change and save the XML configuration file.


<implied_SPDO> <-- Change to 1. 
<implied_SPDO_timeout> <----- Change to any value greater than 0, basically, how long to have the timeout hold out before the network is disconnected, and this value represents seconds.
 

Example:
Timeout change to 100 seconds: 
 

<ike_settings> 
<version>1</version> 
<implied_SPDO>1</implied_SPDO> 
<implied_SPDO_timeout>100</implied_SPDO_timeout> 

  1. Back to FortiClient and perform 'Restore', choose the modified XML configuration file, enter 'password', and select 'OK'.

    kb_20803_4.png

     

  2. FortiClient will prompt that the 'Configuration restored successfully'.

    kb_20803_5.png

     

  3. To make the same change for endpoints managed through FortiClient EMS, access 'FortiClient EMS' -> 'Endpoint Profiles' -> 'Remote Access'.

  4. Find the VPN profile that is in use on the endpoints and select 'Edit'.

    sdpo-remote-access.png

     

  5. On the screen that opens, select XML and then 'Edit' at the bottom center of the screen.

    b3dbeff6-f947-47b6-acd4-530de4e4cc25.png

     

  6. The editing screen will open. Look for the XML tags and edit them as shown in step 4.

    edit-field.png

 

xml-spdo.png

  

Related document: 
Terms & ConditionsAccessibility statement