FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
ctan
Staff
Staff
Article Id 194746

Description

This article describes how to prevent client machine network connection disconnected when connecting FortiClient to IPsec dialup
 
Related link.


Solution

When FortiClient is connecting to IPsec, the network will be disconnected and FortiClient only allows traffic for IPsec protocol UDP 500 and 4500 and all other traffic will be blocked. 
If in case, it is not possible to afford, even a short disconnection on the client machine, it  will be necessary to change 2 configurations on the FortiClient to allow all traffic to go through during IPsec dialup.
 
This is an expected behavior because, the FortiClient only allows traffic from IPsec UDP ports 500 and 4500 as a security feature in the IPsec protocol.
 
Note.
This change has to be done via XML file.
 
1) On client machine, launch the FortiClient and unlock with administrator rights by selecting 'Lock' icon and enter administrator password as required when prompted.
 
 
 
 
 
2) Select the 'settings' icon, and backup the FortiClient configuration, select the destination.
 
 
 
 
3) Open the saved XML configuration file (.conf) and look for <implied_SPDO> and <implied_SPDO_timeout>, make sure to edit the desire IPsec connection as each IPsec connection will have their own <implied_SPDO> and <implied_SPDO_timeout> configuration.
 
Example.
 
<name>Dialup IPsec 01</name> 
... 
... 
<ike_settings> 
<version>1</version> 
<implied_SPDO>0</implied_SPDO> 
<implied_SPDO_timeout>0</implied_SPDO_timeout> 
... 
 
4) Change and save the XML configuration file.
 
<implied_SPDO> change to 1 
<implied_SPDO_timeout> <----- Change to any value greater than 0, basically, how long  to have the timeout hold out before network disconnected and this value represent seconds.
 
Example, timeout change to 100 seconds: 
 
<ike_settings> 
<version>1</version> 
<implied_SPDO>1</implied_SPDO> 
<implied_SPDO_timeout>100</implied_SPDO_timeout> 
 
5) Back to FortiClient and perform 'Restore', choose the modified XML configuration file, enter 'password' and select 'OK'.
 
 
 
 
6) FortiClient will prompt that the 'Configuration restored successfully'.
 
 
Contributors