Hi all

Some background before start, due to SSLVPN will be retired after upgrade to 7.6.3 or higher, so our Hong Kong Office still keep to 7.6.2 and try to setup IPsec dialup VPN but no luck, it is very unstable and always cannot reloved internal DNS, so we use our China office fortigate upgrade to 7.6.4 and test the IPsec VPN.

So far it is stable, can access internal LAN perfectly, can reloved DNS and also can access other site-to-site VPN Huawei Cloud LAN, but still have few more thing not working.

China Fortigate ver: 7.6.4
Hong Kong Fortigate ver: 7.6.2
Client VPN ver: 7.4.3.1790 (download from forti website)

Below is now facing issue:

1. Some user cannot access internet after connected VPN, but I am fine with my home PC with my mobile network and home wifi. They also using home wifi, will asking them to try moble network tonight. But our forti client is same ver and setting.

2. Cannot access Hong Kong Office LAN. Already create a policy allow IPsec to HK Office and seems it have a traffic, try to ping HK LAN, it return the server name but time out.

Below is IPsec config setting

PYICCFG80F (Test RA) # show full-configuration
config vpn ipsec phase1-interface
edit "Test RA"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode aggressive
set peertype any
set monitor-min 0
set net-device disable
set exchange-interface-ip disable
set aggregate-member disable
set packet-redistribution disable
set mode-cfg enable
set ipv4-dns-server1 192.168.99.45
set ipv4-dns-server2 10.1.1.124
set ipv4-dns-server3 10.1.1.125
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-dns-server3 ::
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route enable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set ip-fragmentation post-encapsulation
set dpd on-demand
set comments "VPN: Test RA -- Created by VPN wizard"
set npu-offload enable
set dhgrp 5 14
set suite-b disable
set wizard-type dialup-forticlient
set xauthtype auto
set reauth disable
set authusrgrp ''
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set rekey enable
set enforce-unique-id disable
set fec-egress disable
set fec-ingress disable
set link-cost 0
set exchange-fgt-device-id disable
set ems-sn-check disable
set qkd disable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode manual
set ipv4-split-include "Test RA_split"
set split-include-service ''
set ipv4-name "SSLVPN_TUNNEL_ADDR1"
set ipv6-prefix 128
set ipv6-split-include ''
set ipv6-name ''
set ip-delay-interval 0
set unity-support enable
set domain "bschk.com"
set banner ''
set include-local-lan disable
set ipv4-split-exclude ''
set ipv6-split-exclude ''
set save-password enable
set client-auto-negotiate disable
set client-keep-alive disable
set keepalive 10
set distance 15
set priority 1
set dpd-retrycount 3
set dpd-retryinterval 20
next
end