Description

This document will explain how to maintain Internet access during IPsec SA negotiation for dial-up FortiClient VPN.  Maintaining this access may be necessary for some scenarios such as for two-factor email authentication.

Scope

FortiClient.

Solution

The FortiClient by default will block Internet traffic during the IPsec SA negotiation.  If you are using email two-factor authentication, you will be unable to get the email on the connecting computer, you would need another device in order to receive the email.

In order to allow Internet traffic to pass during the IPsec SA negotiation, (allowing the connecting computer to get the email) you will need to change the value of the  <implied_SPDO> tag in the FortiClient's xml file from 0 to 1.

However, the side effect of changing <implied_SPDO> to 1 can be blocking access to captive portal which in turn blocks access to IPsec VPN server. To allow all outbound traffic including non-ike traffic set <implied_SPDO_timeout> to a value between 30 to 60 seconds.

Change the output to:

<implied_SPDO>1</implied_SPDO>

<implied_SPDO_timeout>30</implied_SPDO_timeout>

The tag is located under:

<ipsecvpn>
    <connections>
        <connection>
            <ike_settings>
                <implied_SPDO>

                <implied_SPDO_timeout>

These options are available for FortiClient version 6.2.1 and above.

(FortiClient v6.2.1, MFA, Email Authentication.)