IPSEC VPN - split tunnel wont work

Ninio · ‎09-11-2024

I have for testing Fortigate F80 (7.6.0) where I created ipsec VPN for clients.

I can connect correctly to FG

When I enable/disable split tunel I have always the same ISP ip address. About what I have forgotten.

I have created ipsec with wizzard and doc from Fortinet.

--
Ninio

saleha · ‎09-11-2024

Hi Ninio,

Thank you for contacting fortinet support. When you enable split-tunnel do you also change firewall policies to make sure destination for incoming traffic is not "all" instead it should be specific. Also I assume that when you enable split-tunnelling you are disconnecting and reconnecting the vpn or it is getting disconnected automatically on the client side. Other than these notes I would recommend running ike debugs and check vpn event logs on the fortigate:

- debug commands:

diag debug app ike -1

diag debug console time en

diag debug enable

- VPN Events are located at: "Log&Report>Events"

Thank you,

saleha

Ninio · ‎09-11-2024

thanks,

connection to my LAN works great. I see that i must add ipsec ip network to firewall and I have Intetnet. But internet is on my FG company default gateway.

I want change it to my home gateway, only with access to my company local lan (some devices).

where I can find information about policy with ipsec split? I cant find information about it.

--
Ninio

parteeksharma · ‎09-11-2024

Hi Ninio,
Hope you are doing good.
You can use following article to achieve split tunnel with IPsec VPN for clients:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192...

Regards,
Parteek

Ninio · ‎09-11-2024

Hi,

I saw it but it did not work. I cant find solution with ipsec vpn error. I have open ticket with it.

--
Ninio

Ninio · ‎09-11-2024

a have checked ssl vpn split tunel and ipsec split tunel after connecting

Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter

Physical Address. . . . . . . . . :

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . :

IPv4 Address. . . . . . . . . . . : 10.212.134.200(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . :

i see that ssl split tunel did not fill default gateway on interface

but ipsec vpn tunell filling it like that

Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30) #2

Physical Address. . . . . . . . . : 00-09-0F-FE-00-01

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::3a0b:a474:bb05:aefc%11(Preferred)

IPv4 Address. . . . . . . . . . . : 10.100.100.1(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Lease Obtained. . . . . . . . . . : środa, 11 września 2024 11:14:57

Lease Expires . . . . . . . . . . : niedziela, 19 października 2160 02:53:18

Default Gateway . . . . . . . . . : 10.100.100.2

DHCP Server . . . . . . . . . . . : 10.100.100.2

is this some kind of issue ? where i can find information about dhcp server in ipsec?

--
Ninio

saleha · ‎09-12-2024

Hi Ninio,

Thank you for the reply. You will most likely need an external dhcp server and a firewall policy to allow the traffic from ipsec tunnel to dhcp server similar to the example on the following document link:

https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/189440

Thank you,

saleha

IPSEC VPN - split tunnel wont work

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website