Explorer II

Solved

Dial UP Client VPN to Fortigate and forward outside IPSec tunnel

Forum|Forum|7 months ago
October 23, 2025
3 replies
968 views

Hi

I have an issue with change SSL to IPSec configuration.

I follow instruction to build FortiClient Dial UP connection.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiClient-Dialup-IPsec-VPN-Split-Tunneling/ta-p/192207

I have an issue with split tunnel, on windows enviroment doesn't appear single routes that assign via split tunnel but only default router. From android trablet it seams work.

I am created n°2 policy,

1st Dial Up Tunnel -> Local LAN OK

2nd Dial Up Tunnel -> to other IPSec tunnel KO

2nd policy doesn't work, in diag I see the packet sent but i can't receive answer

What can i test?

Best answer by AEK

You should check the selectors (in IPsec config) on both FortiGates and firewall policies as well.

funkylicious

SuperUser

hi,

try on the Windows computer:

Uninstall the FortiClient from your computer.
Reboot your computer.
Install FortiClient again.

"jack of all trades, master of none"

AEK

SuperUser

Hi Marco

Regarding the second policy that doesn't work,

When you do diag sniffer, do you see the packet is forwarded to the IPsec tunnel?

and do you see it reach the remote FortiGate? If so, what is the source IP of the packet that you see on the remote FGT? I mean usually we forget add a route back and a firewall policy that handles the dialup clients range.

AEK

marconet-22Author

Explorer II

I see the "syn" packet from tunnel IPSec but to remote gateway i don't see it.

AEKAnswer

SuperUser

You should check the selectors (in IPsec config) on both FortiGates and firewall policies as well.

AEK

yderek

Staff

@marconet-22

What is second policy looks like ? you can paste here by using

======================

show firewall policy xx ---> xxx will be your policy ID

======================

Can you get sniffer of the packet along with the debug flow to check ?

Open CLI window 1 on FortiGate

======================

dia sniffer packet any 'host x.x.x.x and host y.y.y.y' 4 0 l ----> replace x.x.x.x with source and y.y.y with desteination

======================

Open CLI window 2 on FortiGate

======================

diag de reset
diag debug flow filter clear
diag debug flow filter addr x.x.x.x y.y.y.y and ----> make sure you have 'and' at end, this is logical operater
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 1000
diag deb console timestamp enable
diag de enable

======================

Now send traffic that is should going from dialup tunnel towards to the ipsec tunnel and let debug run

To stop the debug

in CLI window 1 using 'ctrl +c'

in CLI window 2 using

======================

dia de dis

dia de reset

======================

Attach them into file and upload to here

marconet-22Author

Explorer II

Hi

I solved the issue, policy from DialUp-IPSec to tunnel IPSec mustn't NAT the source IP.

I can NAT traffic only from DialUP-IPSec to Internal LAN

From remote Fortigate i can't see traffic because source ip adddress was public ip of client.

AEK

SuperUser

Hi Marco

Glad to see that you fixed it. You can mark your last post as solution so it can help other members.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded