Skip to main content
DamianLozano
DamianLozano
New Member
September 9, 2019
Solved

IPsec VPN (FortiClient), with split tunneling, communicate in both directions

  • September 9, 2019
  • 3 replies
  • 22610 views

Hello,

 

I tried several VPN setting and have a lot of problem with all of these.

The requirements are many:

* Navigate through the local gateway (Split tunneling)

* Communicate from lan to remote clients

* Communicate from remote clients to lan

 

I have created finally a VPN for FortiClient, following the Wizard, and using split tunneling.

From the fortigate, I can ping to everything.

From a remote device, I can ping to local device

From a local device, I cannot ping to remote device.

 

The wizard just created for me a rule, which allows traffic from VPN clients to Local Clients, with the NAT enabled

I created the reverse rule, to allow everything from lan to VPN clients (using the VPN interface as outgoing interface, and using the VPN range as destination addresses), I tried with and without NAT, just in case, still the same: ping to remote devices never returns

 

Any idea?

Thanks in advance.

Regards,

Damián

    Best answer by sw2090

    I meant what you already have. 

    I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.

    To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.

    I don't need local clients to communicate with vpn clients.

    3 replies

    orani
    orani
    New Member
    September 9, 2019

    Maybe i am wrong but remote devices does not have a gateway, so the answer cannnot be routed

    DamianLozano
    DamianLozanoAuthor
    New Member
    September 9, 2019

    Hello and thanks,

     

    Is there another way to accomplish the 3 requirements between a Windows device and a Fortigate?

    * Navigate through the local gateway (Split tunneling) * Communicate from lan to remote clients * Communicate from remote clients to lan

     

    Without split tunneling, I will have a gateway, but I will force users to access Internet from the fortigate, which is not desired (poor performance, I dont need to users in another country come to my router to open any web page)

    With site to site VPNs should work, but I dont have a fortigate in remote sites.

     

    Any other idea?

    Thanks,

    Damián

    DamianLozano
    DamianLozanoAuthor
    New Member
    September 10, 2019

    Hello, thanks for your response.

     

    What do yo mean with "did you include the remote subnet?"?

    For example, if a remote user (forticlient user) has 192.168.50.0/24 in his local subnet, should I include this subnet? Where?

    It is weird, because, maybe I dont know all subnet where the users will connect with forticlient

    I have included all local subnets in the split tunneling (In a group)

    Also allowed everithing between "VPN->Internal1" and "Internal1->VPN"

    In the remote PC I got routes for the local network, using the IP on the VPN adapter, and this IP is reachable

    I will chech with other VPNs maybe.

     

    Thanks

    Regards

    Damián

    sw2090
    SuperUser
    sw2090Answer
    SuperUser
    September 11, 2019

    I meant what you already have. 

    I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.

    To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.

    I don't need local clients to communicate with vpn clients.

    sw2090
    SuperUser
    sw2090
    SuperUser
    September 10, 2019

    Check two things:

     

    you enabled split tunneling but did you include the remote subnet? You need to do that because as Orani and you wrote with split tunneling you don't have a gw/defaut router via vpn. So you need a route for each subnet or host you want to reach via the vpn. 

    Best practice btw is to create an address group object and put all subnets/hosts you want to be able to reach via the vpn into this group. Then enable split tunneling and set it to this address group.

     

    Second: check if you have all required policies! Also mind the order of the policies. FGT are FiFo for policies. The first one that matches the packet wins it :)

    Terms & ConditionsAccessibility statement