Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kkbk96
New Contributor II

forticlient vpn issue from windows 11 laptop, OS version 7.2.0

So the vpn connects fine but there seems to be some issue with routing or something since i cannot get to any network behind my Fortigate 60E (which is the firewall I'm using for this).

 

ipconfig on windows:

 

Ethernet adapter Ethernet 4:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::5184:1128:9cd8:c861%12
IPv4 Address. . . . . . . . . . . : 192.168.2.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.16

 

why does it get 192.168.2.16 as the default gateway? i included that as part of the ip vpn pool which is 192.168.2.10-192.168.2.15

 

Also how does the routing work when you are connected to this vpn?

 

Firewall config:

kkbk96_0-1660170208710.png

3 rules created and 0 hits on all.

 

ConnectedtoSwitch (internal1) - 192.168.2.10/24

RemoteAccess_range - 192.168.2.15 - 192.168.2.30

Remote Access_split1 - 

Vlan 20 addressVlan10 address

Vlan 20 - 192.168.20.0/24

Vlan 10 - 192.168.10.0/24

 

Routing table:

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 17x.x.x.x, wan1, [1/0]
C 169.254.1.1/32 is directly connected, RemoteAccess
C 17x.x.x.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, internal2
C 192.168.2.0/24 is directly connected, internal1
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan 20

 

VPN Config:

kkbk96_1-1660170541034.png

 

What should i do to get it to work?

 

Let me know if i need to post more configs.

Thank You.

12 REPLIES 12
Anthony_E
Community Manager
Community Manager

Hello kkbk96,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
kkbk96
New Contributor II

hopefully someone replies, havent seen anyone reply yet

Anthony_E
Community Manager
Community Manager

Hello,

 

We will look for an answer and will not stop.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

Waiting the answer, I leave you the FortiOS 7.2.0 release note:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5967294d-aa31-11ec-9fd1-fa163e...

 

I continue to find somebody for helping you.

 

Regards,

Anthony-Fortinet Community Team.
sw2090
SuperUser
SuperUser

I guess 192.168.2.16 is the remote end of your vpn (i.e. yoour FGT). If it gets that as default gw that would mean either split tunneling is not enabled or split tunneling does not work for some reason.

In this case the routing table of your client would be interesting. 

I would guess it then has two default routes and the one that is not over the vpn has the lower metric. 

That together with what I wrote about split tunneling would explain your issues after all :)

 

If split tunneling is enabled for the subnets you want to reach (and is also working) your client would not get a new default gw but instead it would get routes to those subnets specified in split tunneling that have the FGT as gateway.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
kkbk96
New Contributor II

yes split tunneling is not enabled, i would like to get this to work without enabling split tunneling. i will share the routing client routing table later today. Should be "route print" for windows right?

sw2090
SuperUser
SuperUser

without split tunneling it should work if that default route (over the tunnel) is the only one or has the lowest metric.

The big contra of this is that it would also send all your internet traffic through the tunnel. So in order to still have internet you would need to have policy to allow vpn to internet with nat on your FGT.

I would not recommend this. I would recommend using split tunneling instead...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
kkbk96
New Contributor II

ok ill try enabling split tunneling then. all i want is to have internet connection as well with the vpn turned on.

kkbk96
New Contributor II

here are the route details, like you siad there are 2 default routes:

 

PS C:\Users\kxxxx> route print
===========================================================================
Interface List
12...00 09 0f fe 00 01 ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
7...00 09 0f aa 00 01 ......Fortinet SSL VPN Virtual Ethernet Adapter
21...00 ff 81 fa e9 da ......TAP-NordVPN Windows Adapter V9
15...b0 7d 64 62 a9 18 ......Microsoft Wi-Fi Direct Virtual Adapter #3
30...b2 7d 64 62 a9 17 ......Microsoft Wi-Fi Direct Virtual Adapter #4
18...52 6b b9 57 3d 0a ......Intel(R) Wi-Fi 6 AX200 160MHz
5...00 50 56 c0 00 02 ......VMware Virtual Ethernet Adapter for VMnet2
32...00 50 56 c0 00 03 ......VMware Virtual Ethernet Adapter for VMnet3
6...00 50 56 c0 00 04 ......VMware Virtual Ethernet Adapter for VMnet4
11...00 50 56 c0 00 05 ......VMware Virtual Ethernet Adapter for VMnet5
8...00 50 56 c0 00 06 ......VMware Virtual Ethernet Adapter for VMnet6
13...00 50 56 c0 00 07 ......VMware Virtual Ethernet Adapter for VMnet7
26...00 50 56 c0 00 09 ......VMware Virtual Ethernet Adapter for VMnet9
39...00 50 56 c0 00 0c ......VMware Virtual Ethernet Adapter for VMnet12
37...00 50 56 c0 00 0d ......VMware Virtual Ethernet Adapter for VMnet13
22...00 50 56 c0 00 0e ......VMware Virtual Ethernet Adapter for VMnet14
29...00 50 56 c0 00 0f ......VMware Virtual Ethernet Adapter for VMnet15
25...00 50 56 c0 00 10 ......VMware Virtual Ethernet Adapter for VMnet16
40...00 50 56 c0 00 11 ......VMware Virtual Ethernet Adapter for VMnet17
19...00 50 56 c0 00 12 ......VMware Virtual Ethernet Adapter for VMnet18
3...00 50 56 c0 00 13 ......VMware Virtual Ethernet Adapter for VMnet19
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.27.104 192.168.27.20 30
0.0.0.0 0.0.0.0 192.168.2.16 192.168.2.15 2
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
173.72.96.58 255.255.255.255 192.168.27.104 192.168.27.20 30
192.168.2.0 255.255.255.0 On-link 192.168.2.15 257
192.168.2.15 255.255.255.255 On-link 192.168.2.15 257
192.168.2.255 255.255.255.255 On-link 192.168.2.15 257
192.168.7.0 255.255.255.0 On-link 192.168.7.1 291
192.168.7.1 255.255.255.255 On-link 192.168.7.1 291
192.168.7.255 255.255.255.255 On-link 192.168.7.1 291
192.168.27.0 255.255.255.0 On-link 192.168.27.20 286
192.168.27.20 255.255.255.255 On-link 192.168.27.20 286
192.168.27.255 255.255.255.255 On-link 192.168.27.20 286
192.168.79.0 255.255.255.0 On-link 192.168.79.1 291
192.168.79.1 255.255.255.255 On-link 192.168.79.1 291
192.168.79.255 255.255.255.255 On-link 192.168.79.1 291

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors