Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dominikw
New Contributor II

VPN - acces to vpn-subnets and Internet

Hi ! I have Fortigate-60B 3.00-b5158(MR5) and Forticlient 3.0.470. I have configured dial-up VPN (PSK and ext-auth). Here is my topology : WiFi (10.10.20.X/24)------| LAN (192.168.0.0/24)---Fortigate ----- Dialup-FortiClient DMZ (10.10.10.X/24)------| Dialup-FortiClient has static IP in Client set to 192.168.50.215 (I don' t use DHCP) In FortiClient when I have 192.168.0.0/255.255.255.0 as remote network in " main" config, and 10.10.10.0/24, 10.10.20.0/24 in Advanced Settings I can only access internal subnet (192.168.0.0/24). When I set 0.0.0.0/0.0.0.0 as remote network in FortiClient configuration FG route packets right way - I have acces to all VPN subnets. But in this situation my PC has default route via VPN-vip so I can' t access Internet when I' m connected to FG. Does anyone know will newer firmware/client version be better ?

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
15 REPLIES 15
rwpatterson
Valued Contributor III

If you enable split tunnelling in the User Group for the Forticlients, then you will be able to surf the net via the local connection.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

If you enable split tunnelling in the User Group for the Forticlients
How can i do it? Is it something to set in forticlient, in Fortigate, or in windows?
rwpatterson
Valued Contributor III

When you set up the Forticlient access into the Fortigate, you created a user group on the FGT. Check the advanced properties there, in the FGT.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

I cannnot find any option like that I have an IPSec VPN and the group I have set for it is a simple firewall group, Regrettably this forum still doesnt allow me to embed or upload a screenshot, but I can tell you that I can only set the items Name, Type, Protection Profile, Members and Fortiguard WebFiltering Override
abelio
Valued Contributor

Hello Ariel, Does your IPSec VPN FortiClient<->FortiGate includes DHCP over IPSec or not? Another point: besides your FC config, is necessary add firewall policies internal->dmz internal->another_subnets Post more info about your settings (policy or route mode VPN, FC directly connected to the internet or through a NAT device) etc. http://docs.forticare.com/fgt/techdocs/FortiGate_IPSec_VPN_User_Guide_01-30005-0065-20070716.pdf (pag #55 ) details FC to FG configuration to compare with. best regards,

regards




/ Abel

regards / Abel
Not applicable

Hi Abelio I' m using DHCP over IPSEC I dont have any policy linking internal - another_subnets because in my case, the fortigate is acting as router, redirecting traffic to other subnets to the corresponding routers as set in static routing (assuming I am sending the packet from within the lan segment) net 10.10 -> FG FG -> " 0.0.0.0" -> internet FG -> " net 10.20" -> router 10.20 -> net 10.20 FG -> " net 10.30" -> router 10.30 -> net 10.30 FG <- dial up clients 10.10 Below is the VPN related config:
 config system dhcp server
     edit " vpnremotos" 
         set default-gateway 10.10.20.10
         set interface " wan1" 
         set lease-time 86400
         set netmask 255.255.0.0
         set server-type ipsec
         set start-ip 10.10.40.1
         set end-ip 10.10.40.254
         set wins-server1 10.10.10.10
         set wins-server2 10.10.10.20
     next
 end
 
 config firewall profile
     edit " custom_vpn_remoto" 
         set log-web-ftgd-err enable
         set ftp splice
         set http rangeblock
         unset https
         set imap fragmail spamfssubmit
         set pop3 fragmail spamfssubmit
         set smtp fragmail spamfssubmit splice
         set pop3-spamtagtype subject
         set imap-spamtagtype subject
         set nntp no-content-summary
         unset im
         set comment "  " 
         set ftgd-wf-options strict-blocking
         set ftgd-wf-https-options strict-blocking
         set ftgd-wf-disable all
     next
 
 config user group
     edit " user_vpn" 
         set profile " custom_vpn_remoto" 
             set member " user1"  " user2"  " user3"  
     next
 end
 
 config vpn ipsec phase1
     edit " Remotos" 
         set type dynamic
         set interface " wan1" 
         set nattraversal enable
         set proposal 3des-sha1 3des-md5
         set psksecret ENC (password)
     next
 end        
 config vpn ipsec phase2
     edit " remotos" 
         set keepalive enable
         set pfs enable
         set phase1name " Remotos" 
         set proposal 3des-sha1 3des-md5
         set replay enable
         set dhcp-ipsec enable
     next
 end
 config vpn ipsec forticlient
     edit " xxxxx" 
         set phase2name " remotos" 
         set usergroupname " user_vpn" 
     next
 end
 
 config firewall policy
     edit 49
         set srcintf " internal" 
         set dstintf " wan1" 
             set srcaddr " Internal_All" 
             set dstaddr " all" 
         set action ipsec
         set schedule " always" 
             set service " DHCP" 
         set logtraffic enable
         set inbound enable
         set outbound enable
         set natinbound enable
         set vpntunnel " Remotos" 
     next
     edit 47
         set srcintf " internal" 
         set dstintf " wan1" 
             set srcaddr " Internal_All" 
             set dstaddr " all" 
         set action ipsec
         set schedule " always" 
             set service " ANY" 
         set profile-status enable
         set logtraffic enable
         set profile " custom_vpn_remoto" 
         set inbound enable
         set outbound enable
         set vpntunnel " Remotos" 
     next
 end
    
 
abelio
Valued Contributor

Ok, thanks for the info, - try by editing policy #47 and change
  set dstaddr " all"   
  set action ipsec 
  
to
  set dstaddr " RangeIPDHCP"   
  set action ipsec 
  
where RangeIPDHCP is 10.10.40.[1-254] And add a new internal->wan1 firewall policy below with action ' accept' to destination address ' all' for internet browsing. best regards,

regards




/ Abel

regards / Abel
Not applicable

No way Did the change and still cannot ping subnets from a forticlient through the vpn (I can do it from a pc connected to lan) Should I create a policy route from the vpn route? Best regards, Ariel
abelio
Valued Contributor

Ariel, please. this thread became a little confused for me now: do you want internet browsing with your ipsec vpn with forticlient? Or, the goal was internet browsing plus reaching your another internal subnets? Please, refresh once again the goal and details you consider relevant to get a picture. best regards,

regards




/ Abel

regards / Abel
Labels
Top Kudoed Authors