Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Joe_Mohtady
New Contributor

VPN Tunneling

Hello Everyone If u could help me with the following: In our company we have more than 200 users that connect VPN from bank branches on a daily basis , those users used to connect VPN through windows XP using netscreen but after upgrading to windows 7 we had to use forticlient for VPN IPSec connection. the problem is those users are facing an issue in using application that connect http to our intranet we have been investigating this issue since forever, what I realized that the different between netscreen and forticlient is that netscreen is totaly isolate the client whil forticlient the user still cann access the bank network Is there a way to totally isolate the client from access the LAN of the bank as I think that there is conflict between our intranet ip and an ip in the bank branches? Thank You
3 REPLIES 3
rwpatterson
Valued Contributor III

Welcome to the forums. If I understand your problem correctly, you want the VPN user to access ONLY the remote network while in VPN mode? I believe that the Fortigate has to be set up to disable split tunneling. That will force all traffic down the VPN once it' s established.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

Remember this is a firewall, so whatever firewall policies you have, is what and where the users can establish connection to. So what fwpolicies are you allowing for the remote-users?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

Referring to Bob' s advice: In order to ' isolate' the client while using the tunnel, you have to set the client' s default route to the VPN gateway. This is done in Forticlient configuration by choosing ' 0.0.0.0/0' as the destination network, instead of a real subnet. But... if you really have an address conflict between LAN and remote subnet (intranet) then this will probably not be the solution. Usually, the subnets on either side of a VPN tunnel have to be distinct so that the VPN gateway knows where to put the packets. After all, this is still routing and not Layer2 bridging. There is a way to accomplish connecting subnets with overlapping address space via VPN tunnel which involves destination and source NAT. It' s doable but requires careful planning and good knowledge of FortiOS. Maybe you can check the Netgear (VPN client software) configuration which special configuration was employed to make it work. Would be more reasonable than to reinvent the wheel.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors