Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: IPsec VPN (FortiClient), with split tunneling,...
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
IPsec VPN (FortiClient), with split tunneling, communicate in both directions
Hello,
I tried several VPN setting and have a lot of problem with all of these.
The requirements are many:
* Navigate through the local gateway (Split tunneling)
* Communicate from lan to remote clients
* Communicate from remote clients to lan
I have created finally a VPN for FortiClient, following the Wizard, and using split tunneling.
From the fortigate, I can ping to everything.
From a remote device, I can ping to local device
From a local device, I cannot ping to remote device.
The wizard just created for me a rule, which allows traffic from VPN clients to Local Clients, with the NAT enabled
I created the reverse rule, to allow everything from lan to VPN clients (using the VPN interface as outgoing interface, and using the VPN range as destination addresses), I tried with and without NAT, just in case, still the same: ping to remote devices never returns
Any idea?
Thanks in advance.
Regards,
Damián
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I meant what you already have.
I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.
To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.
I don't need local clients to communicate with vpn clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Maybe i am wrong but remote devices does not have a gateway, so the answer cannnot be routed
Orestis Nikolaidis
Network Engineer/IT Administrator
Orestis Nikolaidis
Network Engineer/IT Administrator
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hello and thanks,
Is there another way to accomplish the 3 requirements between a Windows device and a Fortigate?
* Navigate through the local gateway (Split tunneling) * Communicate from lan to remote clients * Communicate from remote clients to lan
Without split tunneling, I will have a gateway, but I will force users to access Internet from the fortigate, which is not desired (poor performance, I dont need to users in another country come to my router to open any web page)
With site to site VPNs should work, but I dont have a fortigate in remote sites.
Any other idea?
Thanks,
Damián
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hello, thanks for your response.
What do yo mean with "did you include the remote subnet?"?
For example, if a remote user (forticlient user) has 192.168.50.0/24 in his local subnet, should I include this subnet? Where?
It is weird, because, maybe I dont know all subnet where the users will connect with forticlient
I have included all local subnets in the split tunneling (In a group)
Also allowed everithing between "VPN->Internal1" and "Internal1->VPN"
In the remote PC I got routes for the local network, using the IP on the VPN adapter, and this IP is reachable
I will chech with other VPNs maybe.
Thanks
Regards
Damián
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I meant what you already have.
I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.
To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.
I don't need local clients to communicate with vpn clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Ok, I did not find a way to accomplish this
I am trying now to create a L2TP+IPsec tunnel in another device (Not fortinet), inside the local network.
So, I need to forward all L2TP+IPsec traffic to the local IP
I think I should re-direct UDP port 500, 1701 and 4500 (No problem with this)
Also need to re-direct all esp/ah protocols traffic, which I think it is no TCP nor UDP (a different protocol)
How do I re-direct this protocol?
Thanks
Regards
Damián
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Ok, I just realiced about the following:
- With the SSL VPN for FortiClient, if I disable split tunneling, it works: I can access from remote to local computers and from local to remote computers.
- I re-enable split tunneling and I stop pinging from local to remote computers, I still can ping from remote to local computers
- I tried by selecting many options in "Accessible networks", in the split tunnel section, no luck
- It is still required to navigate through the local gateway
Anyone know what could be happening here?
Is there other way but split tunneling?
I apreciate any help.
Regards,
Damián
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hello,
I finally solved by myself
Solution:
1- Make a Forticlient VPN tunnel following wizard (this creates an interface based vpn)
2- Enable split tunnel during the wizard
3- Set IP to the VPN interface (In the same subnet than VPN clients, different subnet than each other), through cli, because the interface does not shows in system->network->interfaces
4- Set remote-ip to the VPN interface, also by cli (same than ip address)
5- Wizards create 1 rule for VPN -> Internal, I needed to create the reverse rule: Internal -> VPN
6- Added a blackhole route to the VPN clients subnet with low priority
The 6º step solved the issue, with this I can access from local network to remote devices too.
With this I could accomplish my 3 requirements: Access through the VPN in both ways and navigate through local gateway
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Check two things:
you enabled split tunneling but did you include the remote subnet? You need to do that because as Orani and you wrote with split tunneling you don't have a gw/defaut router via vpn. So you need a route for each subnet or host you want to reach via the vpn.
Best practice btw is to create an address group object and put all subnets/hosts you want to be able to reach via the vpn into this group. Then enable split tunneling and set it to this address group.
Second: check if you have all required policies! Also mind the order of the policies. FGT are FiFo for policies. The first one that matches the packet wins it :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Forticlient Network Lockdown IPSEC VPN 399 Views
- VPN connected clients only allowed to... 436 Views
- Forticlient fails to install Deployment package... 1779 Views
- Anti Exploit False Positive 1501 Views
- Routing to multiple LAN through IPSEC... 813 Views
Labels
-
FortiGate
8,369 -
FortiClient
1,692 -
5.2
801 -
FortiManager
707 -
5.4
639 -
FortiAnalyzer
535 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
FortiPAM
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.