Solved

Newbie Fortinet IPSec VPN Question

Posted on 2008-10-20
10
4,753 Views
Last Modified: 2013-12-04
I am attempting to assist in setting up our Fortinet VPN Solution at my company.  I seem to have everything working so far (test machine can connect through the VPN tunnel over IPSec and access resources on our internal network) except that I cannot connect to the Internet after making the connection.  We are using the Forticlient software on the end users machine.

What I want to do is to route all normal Http/Ftp/Etc traffic though the end users home connection and only encrypt the data packets that are accessing internal resources.  Is this what the concentrator is for, and if so how do I set it up?  I have been looking on Fortinets support site but their documentation is a little outdated and their helpdesk is a little on the slow side.

I have ran wireshark on the test machine and monitored the virtual network addapter.  The results I get when I attempt to go to an external website are DNS query and response works, then the ICMP packet gets dropped along the causing the connection to fail.  However with the way it is now it is still going through the IPSec connection and then to our LAN and then back through our DNS server.  I would rather not have all that additional traffic if at all possible and just dump that traffic to the end users physical connection and not the virtual one.

Does this make any sense?  I suppose it does not help that I am new to VPN setup and Fortinet software.

Any help would be greatly appreciated.

Thank you,
Adam82
0
Comment
Question by:Adam82
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22768953
Sorry I cannot help you specifically with Fortinet, though I am sure others can, but all VPN's have security feature that blocks local LAN access, including Internet access, for the client. The reason for this is it isolates the VPN client from the local network so that no one else, or a virus, could connect through that PC & VPN to the corporate network. Being aware of this if you want to disable this security feature you can do so by enabling split-tunneling. As to how you do this on your system I do not know. I am not familiar with Fortinet. Some VPN's allow the client end to change, but in most commercial solutions it is done within the VPN router end. Perhaps looking through your documentation for split-tunneling will help.
0
 
LVL 1

Author Comment

by:Adam82
ID: 22769019
<<<<<  Browing their documentation right now for split tunneling solutions...

Thanks,
0
 
LVL 1

Author Comment

by:Adam82
ID: 22770619
I did find on their site regarding when using the windows VPN connection to enable "Use default gateway on default network" option.  However we are using the Forticlient software on the end users PC's not the windows utility to make the connection.

If anyone knows how to do this with the Forticlient that would be great!
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 22770673
Yes that would be the option for the Windows option, but as you mentioned not the Fortinet client. I would suspect the configuration would be on the router end.

I'll send a note to someone more familiar with Fortinet for you and see if they can respond.
--Rob
0
 
LVL 1

Author Comment

by:Adam82
ID: 22782018
Well, here is what we found out from fortinets support.  The way the connection is setup is "Phase 1" is the authentication and "Phase 2" creates the tunnel/connection.  What they say to do is at "Phase 2" create a rule to route only traffic needed for internal resources through and everything else route elsewhere.  But I must say that I am still a little confused because their explanation on how to do this is not very good and their english is very broken.

Again, if anyone has had experience with this please let me know.  I am so close I can taste it but I still can't eat.

Thanks for all your assistance Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22782041
Perhaps they are right, but it sounds rather bizarre to me. It's usually as simple as affecting the client's default gateway, however the method varies.
Still haven't heard back from my colleague/friend.
0
 
LVL 1

Author Comment

by:Adam82
ID: 22818199
Any news Rob?  If not I will go ahead and close this question.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 22818696
I did check back with him and apparently he is not familiar with that option.
Split tunneling is definitely the option you are looking for, but as mentioned I am not familiar with Fortinet configuration.
I did find the following:
For Fortinet SSL VPN (on client):
http://kc.forticare.com/default.asp?id=1722&Lang=1
Fortinet PPTP VPN (on client):
http://kc.forticare.com/default.asp?id=323&Lang=1
Fortinet IPSec VPN (router end) probably what you are using:
http://www.broadbandreports.com/forum/r17575912-Split-Tunneling-with-FortiClient-and-ZyWALL
0
 
LVL 1

Author Comment

by:Adam82
ID: 22909654
Thanks Rob,

The last link on your comment appears to be what we need to do.  Unfortunately do to being pushed we rolled this out without split-tunneling.  Hopefully in the short future we will again have another chance to tinker with this.

Thanks again,
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22917691
Thanks Adam82.
Cheers !
--Rob
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question