Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Miata
New Contributor II

Losing Internet Access when Connected to VPN

Hi guys

 

When connecting via VPN the computer loses all internet access. I have tried with and without split tunnelling and nothing works.

Model: Fortigate 60D Firmware : 5.2.3

 

Anything I need to look at in regards to debugs/config? Do I need split tunneling?

 

I've had a look at other threads and come across this comment

 

'My firewall policy with the SSL-VPN set as action was this: wan1 > internal all - all - always - any -SSL VPN The destination must be a specific subnet(s) in order to do split tunneling. Once I changed my destination on that policy to the appropriate internal subnets, split tunneling worked just fine once I was able to enable it.'

 

Is this the general setup for this?

 

Cheers,

Miata

3 REPLIES 3
Christopher_McMullan

If you enable split-tunnelling in the settings for the SSLVPN web portal, once you try to define a firewall policy for the connection afterwards, I think you will be prohibited from leaving the destination address zeroed. It is not a valid split-tunnelling address. So you could do either-or: leave the web portal and policy destination wide open and split-tunnelling disabled (but then create an ssl.<vdom> to WAN policy to allow Internet access), or else enable split-tunnelling in the Tunnel Mode widget in the SSLVPN web portal, choose a local address range, and make the destination in the policy the same address range.

 

The tricky part comes in if tunnel-mode users also want to use the web portal for proxied browsing to Internet sites. In that case, the only way I can find to make the scenario work is to create two portals: one Tunnel Mode (split tunnelling) and one Web Only. For the browsing web-only mode connection, you would need a second user account (and/or user group) to authenticate to it, since portal selection is based on authenticated identity. Once in that portal, you could not bring up a split-tunnelling Tunnel Mode connection, but you could browse via the portal proxy. And vice versa, for a tunnel connection, authenticate as the user for the Tunnel Mode portal.

 

Messy, but it works!

Regards, Chris McMullan Fortinet Ottawa

Miata
New Contributor II

Hi

 

Thank you very much for this information, however do you know if this works with IPsec VPN? How can I set this up for that?

 

Cheers

Miata

Christopher_McMullan

With IPsec, it depends who the client will be for the connection. With FortiClient or a known OS (iOS, Windows, etc.), the wizard takes care of the options, and provides a drop-down field to choose split addresses.

 

Otherwise, the manual route will take you into the CLI:

config vpn ipsec phase1-interface

edit <phase1_name>

set ipv4-split-include <address_name>

...

end

Regards, Chris McMullan Fortinet Ottawa

Labels
Top Kudoed Authors