Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kcerb
New Contributor III

Dialup IPSec VPN - wrong route when forticlient connected

Hi,

on one of my remote laptops (windows 10 pro x64) after dialup IPSec connection incorrect route is created:

 

In this situation (bottom picture) when forticlient is connected, there is no internet access or servers (behind FortiGate) access.

The IPSec tunnel "split tunnel" option is checked.

There are no issues on other remote clients using the same tunnel.

There is still an issue when I create a second connection on this laptop using another tunnel settings.

The client using FortiClient 5.4.4.0890_x64 but I also tried on 5.6.0.1075_x64 - same issue.

The Fortigate runs on v5.4.5,build1138 (GA)

Can anybody help?

 

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

Are you sure the client user name is in the same user group with the other working clients? Then you need to run ike debug by specifying the outside IP of the client environment.

 

diag debug reset

diag vpn ike log-filter  dst-addr4 [OUTSIDE_IP]

diag debug app ike -1

diag debug ena

kcerb
New Contributor III

Thank you for the answer.

Before that I decided to uninstall version 5.6 and one more time install 5.4.

I typed the configuration one more time and this time it started working properly. I was pretty sure the configuration was always the same, because the only thing I could do wrong was credentials, but in this case I would not be able to connect. Strange ...

 

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
Toshi_Esumi
Esteemed Contributor III

If the config on the FG for IPSec is wrong, all clients would fail not only one particular. Every time you upgrade/downgrade firmware I would backup the entire config so that you can "diff" when you come back to the same major version of the firmware whatever the reason is. 

kcerb
New Contributor III

I meant version of FortiClient. I didn't make any changes on FortiGate because other clients were working OK.

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
Toshi_Esumi
Esteemed Contributor III

I would still suggest check difference between FortiClient config on 5.6.0 and 5.4. Config. they should be the same except some new standard features like vulnerability scan, which I disabled because I haven't learned what it exactly does yet. By the way, 5.4 FC is significantly slower than 5.6.0 or 5.2 based on our SSL VPN performance test. Its improvement was mentioned in 5.6.0 release notes. We haven't tested with IPSec VPN though.

Labels
Top Kudoed Authors