Description
This article describes an example of the configuration of a dial-up IPsec VPN with Split Tunneling to allow remote clients to securely access the resources of the internally protected network located behind FortiGate and at the same time, browse the Internet directly from their local gateway.
When a dial-up IPsec VPN client is connected to a VPN, it is effectively becoming a member of the local network located behind FortiGate. For this reason, all of its traffic (even Internet traffic) has to be forwarded inside the IPsec tunnel to FortiGate, inspected by the respective firewall policies, forwarded to the Internet, and then back to the client through FortiGate.
When a dial-up IPsec VPN client is connected to a VPN, it is effectively becoming a member of the local network located behind FortiGate. For this reason, all of its traffic (even Internet traffic) has to be forwarded inside the IPsec tunnel to FortiGate, inspected by the respective firewall policies, forwarded to the Internet, and then back to the client through FortiGate.
As expected, this will introduce some amount of latency in Internet Browsing for a remote VPN client that has to access the Internet and at the same time the protected network behind FortiGate.
The solution is to use Split Tunneling. This will allow the remote clients to access the Internet considerably faster, as Internet traffic will be directly forwarded out the local gateway. Of course, this is a valid solution, only if the inspection of Internet traffic that the clients initiate is not desired or imposed by corporate security policies.
The solution is to use Split Tunneling. This will allow the remote clients to access the Internet considerably faster, as Internet traffic will be directly forwarded out the local gateway. Of course, this is a valid solution, only if the inspection of Internet traffic that the clients initiate is not desired or imposed by corporate security policies.
Scope
FortiClient.
Solution
Configuration GUI.
The dial-up IPsec VPN can be easily configured using the VPN Wizard. The only difference is that the Enable IPv4 Split Tunnel checkbox should be checked and the Internal Network should be referenced in the Accessible Networks.
The following videos are available for version 5.0:
The dial-up IPsec VPN can be easily configured using the VPN Wizard. The only difference is that the Enable IPv4 Split Tunnel checkbox should be checked and the Internal Network should be referenced in the Accessible Networks.
The following videos are available for version 5.0:
- Remote access with IPsec VPN using FortiClient (Windows).
- IPsec VPN remote access using iOS 5.0 (iOS).
- IPsec VPN with FortiClient (Windows).
- IPsec VPN for remote iOS users 5.2 (iOS).
Configuration CLI:
config vpn ipsec phase1-interface
edit "Dialup_IPsec"
set type dynamic
set interface "wan1"
set mode aggressive
set mode-cfg enable
set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "Guest-group"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.10
set ipv4-netmask 255.255.255.192
set dns-mode auto
set ipv4-split-include "Internal_Network" <--Local protected network that the remote dial-up IPsec clients reach.
set save-password enable
set psksecret ENC XXXXXXXXXXX
next
end
edit "Dialup_IPsec"
set type dynamic
set interface "wan1"
set mode aggressive
set mode-cfg enable
set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "Guest-group"
set ipv4-start-ip 10.10.10.1
set ipv4-end-ip 10.10.10.10
set ipv4-netmask 255.255.255.192
set dns-mode auto
set ipv4-split-include "Internal_Network" <--Local protected network that the remote dial-up IPsec clients reach.
set save-password enable
set psksecret ENC XXXXXXXXXXX
next
end
config vpn ipsec phase2-interface
edit "Dialup_IPsec_P2"
set phase1name "Dialup_IPsec"
set comments "VPN: test (Created by VPN wizard)"
next
end
config firewall policy
edit 1
set uuid c4f880da-82bf-51e4-42f1-07e26a76bba6
set srcintf "Dialup_IPsec"
set dstintf "port1"
set srcaddr "Dialup_IPsec_range" <-- This is the IP address range 10.10.10.1-10 that matches the range configured under Phase 1 configuration (ipv4-start-ip & ipv4-end-ip).
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
set nat enable
next
end
config firewall address
edit "Dialup_IPsec_range"
set uuid c4f347d2-82bf-51e4-ac01-a18581f0eec8
set type iprange
set comment "VPN: Dialup_IPsec (Created by VPN wizard)"
set start-ip 10.10.10.1
set end-ip 10.10.10.10
next
end
Verification of Configuration and Troubleshooting:
FortiGate verification:
Windows host verification:
When the user is not connected to the dialup IPsec VPN.
FortiGate verification:
- Check the configuration as it is seen by the IKE daemon: diag vpn ike config list.
- List IKE SA: diag vpn ike gateway list name <Phase1>.
- List IPsec SA: diag vpn tunnel list name <Phase1>.
- Check the status of all tunnels (equivalent to GUI VPN monitor): get ipsec tunnel list.
- Check routes that were installed by IKE daemon (applicable only for dialup IPsec VPN): diag vpn ike routes list.
Windows host verification:
When the user is not connected to the dialup IPsec VPN.
C:\Users\Andreas>ipconfig
!!! OUTPUT OMITTED !!!
!!! OUTPUT OMITTED !!!
Windows IP Configuration.
Ethernet adapter Local Area Connection:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix. : fortinet-emea.com
Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
IPv4 Address. . . . . . . . . . . : 192.168.196.62
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.196.254
Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
IPv4 Address. . . . . . . . . . . : 192.168.196.62
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.196.254
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Andreas>route print
!!! OUTPUT OMITTED !!!
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.196.254 192.168.196.62 10 <-- Default route out the local gateway. Dialup IPsec VPN routes are not present, as the client is not connected to the VPN.
Connection-specific DNS Suffix . :
C:\Users\Andreas>route print
!!! OUTPUT OMITTED !!!
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.196.254 192.168.196.62 10 <-- Default route out the local gateway. Dialup IPsec VPN routes are not present, as the client is not connected to the VPN.
When dialup IPsec VPN user is not connected to the VPN.
C:\Users\Andreas>ipconfig
!!! OUTPUT OMITTED !!!
!!! OUTPUT OMITTED !!!
Windows IP Configuration.
Ethernet adapter Local Area Connection:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : fortinet-emea.com
Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
IPv4 Address. . . . . . . . . . . : 192.168.196.62
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.196.254
Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
IPv4 Address. . . . . . . . . . . : 192.168.196.62
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.196.254
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::6d4b:6900:1004:360b%15
IPv4 Address. . . . . . . . . . . : 10.10.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . :
C:\Users\Andreas>route print
!!! OUTPUT OMITTED !!!
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.196.254 192.168.196.62 10 <-- Default route out local gateway, is still present in the routing table of the user, forwarding Internet traffic out the local gateway.
10.10.10.0 255.255.255.192 On-link 10.10.10.1 276 <-- Route out FortiGate gateway, created after the user connects to the VPN.
10.10.10.1 255.255.255.255 On-link 10.10.10.1 276 <-- Route out FortiGate gateway, created after the user connects to the VPN.
10.182.0.0 255.255.252.0 10.10.10.2 10.10.10.1 20 <-- This is the route to reach the remote protected network behind FortiGate.
Link-local IPv6 Address . . . . . : fe80::6d4b:6900:1004:360b%15
IPv4 Address. . . . . . . . . . . : 10.10.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . :
C:\Users\Andreas>route print
!!! OUTPUT OMITTED !!!
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.196.254 192.168.196.62 10 <-- Default route out local gateway, is still present in the routing table of the user, forwarding Internet traffic out the local gateway.
10.10.10.0 255.255.255.192 On-link 10.10.10.1 276 <-- Route out FortiGate gateway, created after the user connects to the VPN.
10.10.10.1 255.255.255.255 On-link 10.10.10.1 276 <-- Route out FortiGate gateway, created after the user connects to the VPN.
10.182.0.0 255.255.252.0 10.10.10.2 10.10.10.1 20 <-- This is the route to reach the remote protected network behind FortiGate.
Related article:
