Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alejandro77
New Contributor

Created on ‎09-17-2025 01:32 AM

Internet connection lost when trying to connect to a Fortigate with IPsec VPN through Forticlient

Hello guys,

not sure if someone else has the same issue, but there are times when I'm trying to set up a remote connection tunnel via IPsec and this issue comes up... I'm trying to connect through Forticlient VPN but internet connection stops, the tunnel is (of course) down and the internet access is restored.

Labels:
470
0 Kudos
12 REPLIES 12
AEK
SuperUser
SuperUser

Created on ‎09-17-2025 04:03 AM

Hi Alejandro

Can you share your routing table when IPsec connection is down and when it is up?

AEK
AEK
415
Alejandro77
New Contributor
In response to AEK

Created on ‎09-17-2025 04:06 AM

that was my first thought too and I checked it.. it was identical! Perhaps I'll need to rephrase: While trying to connect, internet dropped, so the connection never happened. I checked the routing table both times and it was identical

412
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎09-17-2025 04:18 AM Edited on ‎09-17-2025 04:18 AM

Did you enter the remote server as fqdn or ip?

Also can you share the ipsec config? I mean from FGT side.

 

AEK
AEK
408
Debbie_FTNT
Staff & Editor
Staff & Editor
In response to AEK

Created on ‎09-17-2025 06:55 AM

It does sound a bit like FortiClient/routing may be set up to send everything through the VPN tunnel (no split-tunnel), and if FortiGate lacks the policies to allow this, internet access would essentially be down after VPN is established.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
389
Alejandro77
New Contributor
In response to AEK

Created on ‎12-16-2025 11:33 PM Edited on ‎12-17-2025 12:12 PM

My apologies for the (far too) late reply, but it seems that I'm seeing this issue again and again... The remote server was set by using an fqdn.

Here's the config:


config vpn ipsec phase1-interface
edit "for_client"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype one
set net-device enable
set mode-cfg enable
set proposal aes256-sha256
set dpd on-idle
set xauthtype auto
set authusrgrp "vpngroup"
set peerid "dialup1"
set assign-ip-from name
set dns-mode auto
set ipv4-split-include "0_Subnet_LAN"
set ipv4-name "client_range"
set save-password enable
set psksecret ENC LU+SJKLoLEZeByKcux+fsYTu2023cGoAahQ5f0aKK9Z1d//Y5Mv6hzmA+EfRohvNrypTOe4KLP9hSwpBKZEEQn99/sy0GfJ9yX/CxKbXUwvWAcqklOA2w96lhiygeKkikGfRZQ8GAm2anH2jsZa7I8V2hGpt6rAARV5Y4j3pagf739IapjLlPa3qnjU3gqQZNU+fug==
set dpd-retryinterval 60
next
end

config vpn ipsec phase2-interface
edit "for_client"
set phase1name "for_client"
set proposal aes256-sha256
next
end

 

 

 

86
0 Kudos
AEK
SuperUser
SuperUser
In response to Alejandro77

Created on ‎12-17-2025 02:11 PM

  • Can you share what is inside the object 0_Subnet_LAN?
  • Can it ping 1.1.1.1 (I mean IP, not fqdn) after connecting to VPN?
AEK
AEK
69
0 Kudos
Alejandro77
New Contributor
In response to AEK

Created on ‎12-18-2025 01:43 AM

Replying to your first question, the 0_Subnet_LAN is the local subnet [192.168.1.0/24] that I'm trying to reach when away!!

 

As far as the second question is concerned, i think that I don't quite understand what you are asking me. I'm away from my network, I open FortiClient and at the same time I'm pinging 1.1.1.1. I'm pinging normally, ok? When I try to connect to the VPN, I lose 3 pings (to 1.1.1.1) then I start pinging 1.1.1.1 again and I get a message about VPN not being able to connect

56
0 Kudos
funkylicious
SuperUser
SuperUser
In response to Alejandro77

Created on ‎12-18-2025 02:00 AM

hi,

try adding in your FCT config the following lines under <ike_settings>.

 

First you need to export the config file, in FCT click the Lock ( last on the right ) button and in the Settings ( wheel ) Backup the config file, set a password and save it.

The locally saved file edit it with a text editor, add the lines under previous mentioned section, save and then Restore the saved file with the new settings.

 

Screenshot 2025-12-18 at 11.57.45.pngScreenshot 2025-12-18 at 11.58.12.png

 

<implied_SPDO>1</implied_SPDO>

<implied_SPDO_timeout>120</implied_SPDO_timeout>

 

Screenshot 2025-12-18 at 11.59.36.png

"jack of all trades, master of none"
"jack of all trades, master of none"
51
0 Kudos
Alejandro77
New Contributor
In response to funkylicious

Created on ‎12-18-2025 02:26 AM

I can export a configuration, but I cannot restore it afterwards...

44
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.