|
Follow the steps below to enable full tunneling for IPsec remote access via FortiClient:
- Create an IPsec tunnel and make sure to turn off the 'ipv4-split-include' configuration:
Note:
If split tunneling is configured and needs to be disabled to allow full tunneling, this can also be done using the CLI by disabling the split tunneling feature in the phase1 settings of the tunnel using the following commands:
config vpn ipsec phase1-interface
edit <phase1 name>
unset ipv4-split-include
end
- Split tunnel can also be disabled while creating the IPsec dial-up tunnel through the wizard as displayed below.
CLI configuration example:
Phase1.
config vpn ipsec phase1-interface
edit "No-Split-Tunnel"
set type dynamic
set interface "port1"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: No-Split-Tunnel (Created by VPN wizard)"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "LDAP"
set ipv4-start-ip 10.0.0.1
set ipv4-end-ip 10.0.0.100
set dns-mode auto
set save-password enable
set psksecret admin
next
end
Phase2.
config vpn ipsec phase2-interface
edit "No-Split-Tunnel"
set phase1name "No-Split-Tunnel"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: No-Split-Tunnel (Created by VPN wizard)"
next
end
- Once the user is connected to the IPsec VPN, all the traffic will be redirected to FortiGate, including public IP access such as google.com, fortinet.com, etc.
- Ensure that a dedicated firewall policy is added for IPsec users to access the Internet once connected to the IPsec VPN.
Note:
Configuring changes (i.e. changing from split to full-tunnel) in the IPsec VPN while a user/s is connected, will disconnect them and will need to reconnect.
For enabling split tunnel:
Technical Tip: Enable split-tunnel For IPsec VPN
Related article:
Technical Tip: IPsec dial-up full tunnel with FortiClient
|
