FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epiquette
Staff
Staff
Article Id 192207

Description

 
This article describes an example of the configuration of a dial-up IPsec VPN with Split Tunneling to allow remote clients to securely access the resources of the internally protected network located behind FortiGate and at the same time, browse the Internet directly from their local gateway.

When a dial-up IPsec VPN client is connected to a VPN, it is effectively becoming a member of the local network located behind FortiGate. For this reason, all of its traffic (even Internet traffic) has to be forwarded inside the IPsec tunnel to FortiGate, inspected by the respective firewall policies, forwarded to the Internet, and then back to the client through FortiGate.
As expected, this will introduce some amount of latency in Internet Browsing for a remote VPN client that has to access the Internet and at the same time the protected network behind FortiGate.

The solution is to use Split Tunneling. This will allow the remote clients to access the Internet considerably faster, as Internet traffic will be directly forwarded out the local gateway. Of course, this is a valid solution, only if the inspection of Internet traffic that the clients initiate is not desired or imposed by corporate security policies.

alouvros_FD36253_tn_FD36253.jpg

 

Scope

 

FortiClient.


Solution

 

Configuration GUI.

The dial-up IPsec VPN can be easily configured using the VPN Wizard. The only difference is that the Enable IPv4 Split Tunnel checkbox should be checked and the Internal Network should be referenced in the Accessible Networks.

The following videos are available for version 5.0:
The following videos are available for version 5.2:

 

Configuration CLI:
 
config vpn ipsec phase1-interface
    edit "Dialup_IPsec"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set mode-cfg enable
        set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "Guest-group"
        set ipv4-start-ip 10.10.10.1
        set ipv4-end-ip 10.10.10.10
        set ipv4-netmask 255.255.255.192
        set dns-mode auto
        set ipv4-split-include "Internal_Network"   
  <--Local protected network that the remote dial-up IPsec clients reach.
        set save-password enable
        set psksecret ENC XXXXXXXXXXX
    next
end


Note:
  1. Ensure the group object set in 'ipv4-split-include' includes the specific local network that the VPN client must reach instead of 'all'. If 'all' is included in that group, the the VPN client will inject the default route 0.0.0.0 to the client machine and pass all traffic through the VPN tunnel.

  2. The address object type needs to be 'subnet' instead of 'range'. Using an IP range is not supported and will add a default route of 0.0.0.0 to the VPN client machine.

config vpn ipsec phase2-interface
    edit "Dialup_IPsec_P2"
        set phase1name "Dialup_IPsec"
        set comments "VPN: test (Created by VPN wizard)"
    next
end

config firewall policy
    edit 1
        set uuid c4f880da-82bf-51e4-42f1-07e26a76bba6
        set srcintf "Dialup_IPsec"
        set dstintf "port1"
        set srcaddr "Dialup_IPsec_range"   
         <-- This is the IP address range 10.10.10.1-10 that matches the range configured under Phase 1 configuration (ipv4-start-ip & ipv4-end-ip).
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
        set nat enable
    next
end

config firewall address
    edit "Dialup_IPsec_range"
        set uuid c4f347d2-82bf-51e4-ac01-a18581f0eec8
        set type iprange
        set comment "VPN: Dialup_IPsec (Created by VPN wizard)"
        set start-ip 10.10.10.1
        set end-ip 10.10.10.10
    next
end
 
Verification of Configuration and Troubleshooting:

FortiGate verification:
  • Check the configuration as it is seen by the IKE daemon: diag vpn ike config list.
  • List IKE SA: diag vpn ike gateway list name <Phase1>.
  • List IPsec SA: diag vpn tunnel list name <Phase1>.
  • Check the status of all tunnels (equivalent to GUI VPN monitor): get ipsec tunnel list.
  • Check routes that were installed by IKE daemon (applicable only for dialup IPsec VPN): diag vpn ike routes list.

Windows host verification:

When the user is not connected to the dialup IPsec VPN.
 
C:\Users\Andreas>ipconfig

!!! OUTPUT OMITTED !!!
 
Windows IP Configuration.

Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix. : fortinet-emea.com
   Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
   IPv4 Address. . . . . . . . . . . : 192.168.196.62
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.196.254
 
Ethernet adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

   C:\Users\Andreas>route print  

   !!! OUTPUT OMITTED !!!

   IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.196.254   192.168.196.62     10     <-- Default route out the local gateway. Dialup IPsec VPN routes are not present, as the client is not connected to the VPN.

When dialup IPsec VPN user is not connected to the VPN.   
 
   C:\Users\Andreas>ipconfig

!!! OUTPUT OMITTED !!!
 
Windows IP Configuration.

Ethernet adapter Local Area Connection:
 
  Connection-specific DNS Suffix  . : fortinet-emea.com
   Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
   IPv4 Address. . . . . . . . . . . : 192.168.196.62
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.196.254
 
Ethernet adapter Local Area Connection 2:
 
  Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::6d4b:6900:1004:360b%15
   IPv4 Address. . . . . . . . . . . : 10.10.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . :

   C:\Users\Andreas>route print

!!! OUTPUT OMITTED !!!

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.196.254   192.168.196.62     10    
<-- Default route out local gateway, is still present in the routing table of the user, forwarding Internet traffic out the local gateway.
       10.10.10.0  255.255.255.192         On-link        10.10.10.1    276    
<-- Route out FortiGate gateway, created after the user connects to the VPN.
       10.10.10.1  255.255.255.255         On-link        10.10.10.1    276    
<-- Route out FortiGate gateway, created after the user connects to the VPN.
       10.182.0.0    255.255.252.0       10.10.10.2       10.10.10.1     20     <-- This is the route to reach the remote protected network behind FortiGate.

Related article: