Technical Tip: How to configure IPsec remote access with full tunnelling

Follow the steps below to enable full tunneling for IPsec remote access via FortiClient:

• Create an IPsec tunnel and make sure to turn off the 'ipv4-split-include' configuration:

• Split tunnel can also be disabled while creating the IPsec dialup tunnel through wizard as displayed below.

CLI configuration example:

Phase1.

config vpn ipsec phase1-interface
    edit "No-Split-Tunnel"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: No-Split-Tunnel (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "LDAP"
        set ipv4-start-ip 10.0.0.1
        set ipv4-end-ip 10.0.0.100
        set dns-mode auto
        set save-password enable
        set psksecret admin
    next
end

Phase2.

config vpn ipsec phase2-interface
    edit "No-Split-Tunnel"
        set phase1name "No-Split-Tunnel"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: No-Split-Tunnel (Created by VPN wizard)"
    next
end

• Once the user is connected to the IPsec VPN, all the traffic will be redirected to FortiGate, including public IP access such as google.com, fortinet.com, etc.
• Ensure that a dedicated firewall policy is added for IPsec users to access the Internet once connected to the IPsec VPN.

Note:

Configuring changes (i.e. changing from split to full-tunnel) in the IPsec VPN while a user/s is connected, will disconnect them and will need to reconnect.

For enabling split tunnel:
Technical Tip: Enable split-tunnel For IPsec VPN

Related article:
Technical Tip: IPsec dial-up full tunnel with FortiClient