Hi Guys,
I hope can help me find a solution for the issue that I am having while using Fortigate email two-factor authentication in a IPSEC VPN.
The problem is when a user clicks on connect in Forticlient the PC loses internet connectivity and FortClient stays waiting for the email code that was sent to the user email address, but the user can access their email because they are without internet connectivity on the PC.
I am using slipt tunnelling, this does not make sense, because they need the token to connect to VPN but they don't have internet connectivity until they log into the VPN.
Testing the access getting the token using my mobile phone, the VPN connection works how it should, and it does not redirect the default gateway to the VPN, only the slipt tunnelling routes are added to the PC.
I hope someone can help with this inconvenient problem.
Thanks for your help.
sounds like maybe your split tunnel is now working. I'd see if you can do a route print on the PC and look at your routes.
Hey,
I already checked that, until I type the token no routes are added to the PC routing table, everything remains the same, my default route still my home router, but I can not ping wherever I try to, I can´t ping even my router IP.
MY PC still without an internet connection or LAN connection until I type de Token to validate the VPN access.
My PC stops reply ping, I left another PC pinging my LAN IP and as soon I click to connect in FortClient My PC stops pinging in my on Lan, very weird.
Without two-factor authentication, the same happens but, is very fast, only one ping is lost during the VPN connection, in this scenario the default route is not the IPSEC VPN too.
I´ve noticed though even I can not access the internet, I still able to resolve domain names.
I know with the Forticlient everything default using IPsec the PC will loose access to the local lan devices. You can change this in the xml code settings, but by default it blocks communication with all devices on local lan while connected for security reasons. Can you ping 8.8.8.8?
Hey,
No, I can not ping 8.8.8.8, I´ve attached a printscreen pinging 8.8.8.8, as soon I clink in connect on FortiClient it stops ping.
Like I said I started to ping my PC from another Pc in the same network, at the same time I click to connect on FortiClient my machine stops pinging on my own LAN.
It does not make sense, like, users need to access their email to get the token.
Hey,
Did you find a resolution to this? I am also experiencing the same issues on FortiClient 6.0.10 and 6.4.1. It only happens during IPSec connections. SSL works fine
I'm having this exact same problem with FortiClient 6.0.10 and FortiOS 6.0.11. So far I haven't found any solutions but all network connectivity stops until the token is entered even on the local LAN.
The only workaround I found is to not use 2FA, but I still seem to lose a ping or two like OP mentioned. On a side note, are you using FTM push for the token? I can't seem to get that to work with IPSec either.
That is what I've found as well. Connectivity dies during the authentication process, it's not noticeable without the token.
I'm not using FTM push for the tokens. We have some soft token users but most are hard token.
Hey,
I´ve found a workaround, so I don't know why but when a exported the settings.xml of the Forticlient I noticed there are network configurations on it with the address 0.0.0.0, and I think when we try to connect using Forticlient it binds this address who is the same as the machine default GW.
What I´ve done was put some IP instead of leaving it with 0.0.0.0, like 1.1.1.1, the configuration looks like this:
<network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network>
so I fill it up this way:
<network> <addr>1.1.1.1</addr> <mask>255.255.255.255</mask> </network>
Imported it again and boom! worked just fine, I was able to access my email get the token e to fill it up to establish the connection, and another benefit of it is I just need to pass the settings.xml password and the file itself to the client and I don't need to pass the pre-shared key, the client just needs to import the configuration to Fortclient and he will be ready to connect.
To import the file, the file needs to have the same name e needs to be in the same folder ( C:\Program Files\Fortinet\FortiClient\)
I don't know why but as soon the connection is established, I searched in routes and there is nothing about the host 1.1.1.1.
The command to export settings.xml from Forticlient is:
First of all, configure your connection normally and do Inside of C:\Program Files\Fortinet\FortiClient\ (u need to be an administrator to do that) execute the command:
fcconfig -p11111111 -f settings.xml -m all -o export exports (1111111 is your password)
The file will be placed inside the same folder: C:\Program Files\Fortinet\FortiClient\
Edit and search for network and add the IP Address (as I said before) for your connection.
After that just go to Forticlient click in the lock to unlock the configurations, and in settings restore de configuration and connect, it will work just fine.
Any questions let me know I´ll be happy to help.
Cheers.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.