Thanks SW2090,

I will take a look

hm I took a closer look at thhis since I am interested in it to.

In fact you cannot use the fortigate's split tunneling feature with an ll2tp tunnel and win10 cannot do native ipsec.

What you can do is create a vpn like said in the kb article I linked in my last post.

On your win10 client you can then afterwards go to the properties of the vpn interface (you see it in the networ adaptor snap in of the control panel), then go to networking and then to advanced and deselect the checkbox that reads something linke "use default gateay" (there is only one fitting *g*). This will prevent your internet traffic to go over the vpn. 

If you want to access more then the subnet you used in your vpn you will have to create the routes on the win10 client yourself since you cannot push them like in ipsec. Also this will require additional policies on your FGT.

you could write a batchfile that does that:

rasdial <vpn> <user> <pass> to connect vpn

route add <subnet> MASK <netmask> <interfaceip>

You might also need to write one for disconnecting:

rasdial <vpn> /DISCONNECT

route delete <subnet>

since disconnecting the vpn will not withdraw them routes.

You need to specify user and pass to rasdial to connect even if you saved them in your vpn connection.

This worked fine here...

hth

Sebastian

Well, this tutorial is not so good:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44157

It says something like:

- Select “User Type”

- Enter “Username” and “Password”

- Select “User Account Status” and “User Group”

A proper tutorial should say what to write in every field, not with the name of the field.

Say the names of the fields to complete is the same that say "Open the VPN IPsec Wizard and follow the steps"

Also, it is very different on my fortigate

Anyway, I could create a VPN with the wizard, choosing this option: "Dialup - Android (Native L2TP/IPsec)"

It also worked on W10

The problem with this is the following:

- I needed to set to VPN clients, to get IPs inside my network, then I needed to uncheck "Use the default gateway on the remote network" to use the local gateway to browse Internet

- If i configure the VPN to assign IPs outside the local network and I uncheck the remote gateway option, I cant reach anything in the remote network, I thought I needed to create routes but when I dont reach any IP on the remote network, which gateways should I use? The VPN interface has not any IP, I tried to assign an IP but it did not work.

- Now I can access from outside to inside through the VPN but I also need to access from local network to remote clients connected through VPN

- I accepted this traffic on IPv4 Policies

- I tried to create a static route but it did not allow me to select the VPN as outgoing interface

- I created a policy route but it did not work. VPN clients still cannot reach the local network

- This behavior is logic too, if I want to access from local network, to an IP on the same network, this sould not go to the default gateway

I think I should make it work assigning another IPs to VPN clients, IPs on another network.

Any sugestion?

Thanks in advance.

Regards

Damián