Adam82
asked on
Newbie Fortinet IPSec VPN Question
I am attempting to assist in setting up our Fortinet VPN Solution at my company. I seem to have everything working so far (test machine can connect through the VPN tunnel over IPSec and access resources on our internal network) except that I cannot connect to the Internet after making the connection. We are using the Forticlient software on the end users machine.
What I want to do is to route all normal Http/Ftp/Etc traffic though the end users home connection and only encrypt the data packets that are accessing internal resources. Is this what the concentrator is for, and if so how do I set it up? I have been looking on Fortinets support site but their documentation is a little outdated and their helpdesk is a little on the slow side.
I have ran wireshark on the test machine and monitored the virtual network addapter. The results I get when I attempt to go to an external website are DNS query and response works, then the ICMP packet gets dropped along the causing the connection to fail. However with the way it is now it is still going through the IPSec connection and then to our LAN and then back through our DNS server. I would rather not have all that additional traffic if at all possible and just dump that traffic to the end users physical connection and not the virtual one.
Does this make any sense? I suppose it does not help that I am new to VPN setup and Fortinet software.
Any help would be greatly appreciated.
Thank you,
Adam82
What I want to do is to route all normal Http/Ftp/Etc traffic though the end users home connection and only encrypt the data packets that are accessing internal resources. Is this what the concentrator is for, and if so how do I set it up? I have been looking on Fortinets support site but their documentation is a little outdated and their helpdesk is a little on the slow side.
I have ran wireshark on the test machine and monitored the virtual network addapter. The results I get when I attempt to go to an external website are DNS query and response works, then the ICMP packet gets dropped along the causing the connection to fail. However with the way it is now it is still going through the IPSec connection and then to our LAN and then back through our DNS server. I would rather not have all that additional traffic if at all possible and just dump that traffic to the end users physical connection and not the virtual one.
Does this make any sense? I suppose it does not help that I am new to VPN setup and Fortinet software.
Any help would be greatly appreciated.
Thank you,
Adam82
Rob Williams
Sorry I cannot help you specifically with Fortinet, though I am sure others can, but all VPN's have security feature that blocks local LAN access, including Internet access, for the client. The reason for this is it isolates the VPN client from the local network so that no one else, or a virus, could connect through that PC & VPN to the corporate network. Being aware of this if you want to disable this security feature you can do so by enabling split-tunneling. As to how you do this on your system I do not know. I am not familiar with Fortinet. Some VPN's allow the client end to change, but in most commercial solutions it is done within the VPN router end. Perhaps looking through your documentation for split-tunneling will help.
ASKER
<<<<< Browing their documentation right now for split tunneling solutions...
Thanks,
Thanks,
ASKER
I did find on their site regarding when using the windows VPN connection to enable "Use default gateway on default network" option. However we are using the Forticlient software on the end users PC's not the windows utility to make the connection.
If anyone knows how to do this with the Forticlient that would be great!
If anyone knows how to do this with the Forticlient that would be great!
Yes that would be the option for the Windows option, but as you mentioned not the Fortinet client. I would suspect the configuration would be on the router end.
I'll send a note to someone more familiar with Fortinet for you and see if they can respond.
--Rob
I'll send a note to someone more familiar with Fortinet for you and see if they can respond.
--Rob
ASKER
Well, here is what we found out from fortinets support. The way the connection is setup is "Phase 1" is the authentication and "Phase 2" creates the tunnel/connection. What they say to do is at "Phase 2" create a rule to route only traffic needed for internal resources through and everything else route elsewhere. But I must say that I am still a little confused because their explanation on how to do this is not very good and their english is very broken.
Again, if anyone has had experience with this please let me know. I am so close I can taste it but I still can't eat.
Thanks for all your assistance Rob
Again, if anyone has had experience with this please let me know. I am so close I can taste it but I still can't eat.
Thanks for all your assistance Rob
Perhaps they are right, but it sounds rather bizarre to me. It's usually as simple as affecting the client's default gateway, however the method varies.
Still haven't heard back from my colleague/friend.
Still haven't heard back from my colleague/friend.
ASKER
Any news Rob? If not I will go ahead and close this question.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Rob,
The last link on your comment appears to be what we need to do. Unfortunately do to being pushed we rolled this out without split-tunneling. Hopefully in the short future we will again have another chance to tinker with this.
Thanks again,
The last link on your comment appears to be what we need to do. Unfortunately do to being pushed we rolled this out without split-tunneling. Hopefully in the short future we will again have another chance to tinker with this.
Thanks again,
Thanks Adam82.
Cheers !
--Rob
Cheers !
--Rob