Forticlient IPSec VPN Tunnel established however 0KB received(rcvdbyte=N/A)
Please could anyone help? I'm merely a Desktop Support Technician. I have a user who can successfully establish an IPsec VPN tunnel through his ISP home connection, however bytes received remains on 0KB. Forticlient works fine through the Company issued 3g\4g connection but the user would like to utilize his home connection. Any advice on how one can get to the resolution? Below is a pic and an excerpt from a log file, I've removed the IP addresses for confidentially and because I'm new to this so do please forgive me if there is important info omitted and please advise if anything else I'd need to post? Also please bear in mind I only have access to the client side of things.
One-sided traffic points to either a missing policy or a routing problem. Without insight into the FGT side this will be difficult to debug.
Are other FC users able to connect and transfer data? Using the same FC setup?
(if not: are you? do you have set up a test installation on your notebook/PC to test?)
this is called 'split tunneling' in the FC config. Default is that ALL traffic traverses the tunnel, so that even surfing the net will be through the remote FGT's WAN. If you enable split tunneling, you enter the remote (private) subnet you want to access. This creates a route on the notebook.
In all cases, the FGT's (VPN gateway) policies must match. And of course the phase2 settings in the VPN definition.
From the logs, to me it seems connecting and authenticating just is fine. So I suggest you check policies. There is at least one policy on the FGT, and even the notebook sometimes (Win10!) has policies, namely the Windows Defender Firewall rules. Deactivate this bogus 'firewall' and test again.
I've attached the pic, it's just a pic of the connected status.
Other user's are able to connect fine. It's a provisioned IPSec VPN config so it works as is after installation without having to configure any settings. This user's same Forticlient installation works fine with his Company issued 3g\4g sim connection. There was a known issue in the Business where user's with home fibre connection cannot connect to Forticlient, but then enabling IPSec in their Router front-end interface resolved it. But the thing is this user can connect but it's just one-sided traffic like you said, so I'm hoping enabling IPSec might resolve this also. I have asked the user to confirm IPSec is enabled on his Router, now just waiting on him to respond.
We wont be able to turn off Defender, as it's managed via Group Policy, but I'll try and consult with the network\system admins to confirm no policies are the cause.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.