Skip to main content
DamianLozano
DamianLozano
New Member
April 3, 2020
Question

Dynamic routes for FortiCli IPsec VPN

  • April 3, 2020
  • 1 reply
  • 3997 views

Hello,

 

I have a IPsec VPN for FortiClient created the past year, it was working fine with split-tunnel

It seems that about 15 days ago, when the quarantine started in Argentina, for some unknown reason, the clients can ping to the VOIP Router but can NOT ping to other VOIP devices in the same subnet

We dont know what could we do to modify this behavior

For example:

ping 172.20.35.1 -> succesful

ping 172.20.35.160 -> failed

 

With traceroutes to both addressess, the first jump to 172.20.35.1 was 172.20.15.1 (IPsec VPN Interface IP Address in the Fortigate), but the first jump for 172.20.35.160 was my local gateway

 

So I checked the routes in the client side and I realliced that I just had a route for 172.20.35.1/32 instead of 172.20.32.0/22

This route is dynamically created, so Fortigate is giving this route to clients, where can I change this?

 

Thanks in advance.

Regards,

Damián

 

    1 reply

    JuanPabloPWR
    JuanPabloPWR
    New Member
    April 5, 2020

    Damian sos de argentina? veo que hace tiempo usas fortigate, tengo un tema parecido al tuyo con la VPN que no accede a una red generada por un tunel

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 6, 2020

    You can enable "split tunneling" in the FC, and add a route to that subnet. Traffic to this subnet will then always use the tunnel. NOTE: traffic to other destinations, like any host on the internet, will NOT use the VPN anymore! If you want that you have to disable split tunneling (that is, a default route is inserted pointing to the /32 gateway).

    DamianLozano
    DamianLozanoAuthor
    New Member
    April 6, 2020

    How can I enable "split tunneling" in the FortiClient? it does not have any option to be enabled and the network adapter for FortiClient does not have the option to "use default gateway in the remote network"

    Also, I dont know which gateway should I use for router.

    I assigned an IP to VPN interface in the Fortigate, but Fortigate is not assigning his IP to clients on dynamic routes, it is assigning the next IP on pool. 

    For example:

    Fortigate assign 172.20.15.68 to client and assign 172.20.15.69 as gateway in routes

    Fortigate assign 172.20.15.69 to client and assign 172.20.15.70 as gateway in routes

     

    Any Idea?

    Regards,

    Damián

     

    Terms & ConditionsAccessibility statement