Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kcerb
New Contributor III

Created on ‎07-24-2017 02:43 AM

Dialup IPSec VPN - wrong route when forticlient connected

Hi,

on one of my remote laptops (windows 10 pro x64) after dialup IPSec connection incorrect route is created:

 

In this situation (bottom picture) when forticlient is connected, there is no internet access or servers (behind FortiGate) access.

The IPSec tunnel "split tunnel" option is checked.

There are no issues on other remote clients using the same tunnel.

There is still an issue when I create a second connection on this laptop using another tunnel settings.

The client using FortiClient 5.4.4.0890_x64 but I also tried on 5.6.0.1075_x64 - same issue.

The Fortigate runs on v5.4.5,build1138 (GA)

Can anybody help?

 

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
Preview file
56 KB
Labels:
7624
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎07-24-2017 09:42 AM

Are you sure the client user name is in the same user group with the other working clients? Then you need to run ike debug by specifying the outside IP of the client environment.

 

diag debug reset

diag vpn ike log-filter  dst-addr4 [OUTSIDE_IP]

diag debug app ike -1

diag debug ena

3498
0 Kudos
kcerb
New Contributor III
In response to Toshi_Esumi

Created on ‎07-25-2017 05:56 AM

Thank you for the answer.

Before that I decided to uninstall version 5.6 and one more time install 5.4.

I typed the configuration one more time and this time it started working properly. I was pretty sure the configuration was always the same, because the only thing I could do wrong was credentials, but in this case I would not be able to connect. Strange ...

 

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
3498
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to kcerb

Created on ‎07-25-2017 08:31 AM

If the config on the FG for IPSec is wrong, all clients would fail not only one particular. Every time you upgrade/downgrade firmware I would backup the entire config so that you can "diff" when you come back to the same major version of the firmware whatever the reason is. 

3498
0 Kudos
kcerb
New Contributor III
In response to Toshi_Esumi

Created on ‎07-26-2017 12:36 AM

I meant version of FortiClient. I didn't make any changes on FortiGate because other clients were working OK.

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
3498
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to kcerb

Created on ‎07-26-2017 08:17 AM

I would still suggest check difference between FortiClient config on 5.6.0 and 5.4. Config. they should be the same except some new standard features like vulnerability scan, which I disabled because I haven't learned what it exactly does yet. By the way, 5.4 FC is significantly slower than 5.6.0 or 5.2 based on our SSL VPN performance test. Its improvement was mentioned in 5.6.0 release notes. We haven't tested with IPSec VPN though.

3498
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.