- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Losing Internet Access when Connected to VPN
Hi guys
When connecting via VPN the computer loses all internet access. I have tried with and without split tunnelling and nothing works.
Model: Fortigate 60D Firmware : 5.2.3
Anything I need to look at in regards to debugs/config? Do I need split tunneling?
I've had a look at other threads and come across this comment
'My firewall policy with the SSL-VPN set as action was this: wan1 > internal all - all - always - any -SSL VPN The destination must be a specific subnet(s) in order to do split tunneling. Once I changed my destination on that policy to the appropriate internal subnets, split tunneling worked just fine once I was able to enable it.'
Is this the general setup for this?
Cheers,
Miata
- Labels:
-
5.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you enable split-tunnelling in the settings for the SSLVPN web portal, once you try to define a firewall policy for the connection afterwards, I think you will be prohibited from leaving the destination address zeroed. It is not a valid split-tunnelling address. So you could do either-or: leave the web portal and policy destination wide open and split-tunnelling disabled (but then create an ssl.<vdom> to WAN policy to allow Internet access), or else enable split-tunnelling in the Tunnel Mode widget in the SSLVPN web portal, choose a local address range, and make the destination in the policy the same address range.
The tricky part comes in if tunnel-mode users also want to use the web portal for proxied browsing to Internet sites. In that case, the only way I can find to make the scenario work is to create two portals: one Tunnel Mode (split tunnelling) and one Web Only. For the browsing web-only mode connection, you would need a second user account (and/or user group) to authenticate to it, since portal selection is based on authenticated identity. Once in that portal, you could not bring up a split-tunnelling Tunnel Mode connection, but you could browse via the portal proxy. And vice versa, for a tunnel connection, authenticate as the user for the Tunnel Mode portal.
Messy, but it works!
Regards, Chris McMullan Fortinet Ottawa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thank you very much for this information, however do you know if this works with IPsec VPN? How can I set this up for that?
Cheers
Miata
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With IPsec, it depends who the client will be for the connection. With FortiClient or a known OS (iOS, Windows, etc.), the wizard takes care of the options, and provides a drop-down field to choose split addresses.
Otherwise, the manual route will take you into the CLI:
config vpn ipsec phase1-interface
edit <phase1_name>
set ipv4-split-include <address_name>
...
end
Regards, Chris McMullan Fortinet Ottawa