Skip to main content
ClemensD
ClemensD
Visitor III
January 24, 2025
Solved

FortiClient IPsec "implied_SPDO" Inconsistency

  • January 24, 2025
  • 1 reply
  • 2817 views

Greetings,

 

we're currently trying to build our new IPsec VPN Config coming from SSL-VPN.

While reading the XML Reference Guide for configuring IPsec i stumbled upon an Inconsistency on "implied_SPDO"

 

The "<implied_SPDO>" and the "<implied_SPDO_timeout>" literally contradict each other.

For example on: https://docs.fortinet.com/document/forticlient/7.4.2/xml-reference-guide/96295 (however its the same on all Versions that i looked at)

 

implied_SPDO states that Internettraffic is allowed when its set to 1.

implied_SPDO_timeout however states  that "FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1" and "Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server"

 

Which makes no sense, according to various KB Articles here this looks like that non-IKE packets are allowed when implied_SPDO is set to 1 instead of being blocked.

 

So what is the actual behaviour of the Client there?

 

Regards,

Best answer by MZBZ

Doc for SDPO will be updated. The UI and some naming as well.

SDPO disabled: all none-ike traffic to any IP addresses other than IKE gateway is blocked during the ipsec phase1 negotiation.

SDPO enabled: the above behavior is not enforced so you can reach captive portal if needed.

 

 

1 reply

MZBZ
Staff
MZBZAnswer
Staff
January 27, 2025

Doc for SDPO will be updated. The UI and some naming as well.

SDPO disabled: all none-ike traffic to any IP addresses other than IKE gateway is blocked during the ipsec phase1 negotiation.

SDPO enabled: the above behavior is not enforced so you can reach captive portal if needed.

 

 

    Terms & ConditionsAccessibility statement