Newbie Fortinet IPSec VPN Question

I am attempting to assist in setting up our Fortinet VPN Solution at my company.  I seem to have everything working so far (test machine can connect through the VPN tunnel over IPSec and access resources on our internal network) except that I cannot connect to the Internet after making the connection.  We are using the Forticlient software on the end users machine.

What I want to do is to route all normal Http/Ftp/Etc traffic though the end users home connection and only encrypt the data packets that are accessing internal resources.  Is this what the concentrator is for, and if so how do I set it up?  I have been looking on Fortinets support site but their documentation is a little outdated and their helpdesk is a little on the slow side.

I have ran wireshark on the test machine and monitored the virtual network addapter.  The results I get when I attempt to go to an external website are DNS query and response works, then the ICMP packet gets dropped along the causing the connection to fail.  However with the way it is now it is still going through the IPSec connection and then to our LAN and then back through our DNS server.  I would rather not have all that additional traffic if at all possible and just dump that traffic to the end users physical connection and not the virtual one.

Does this make any sense?  I suppose it does not help that I am new to VPN setup and Fortinet software.

Any help would be greatly appreciated.

Thank you,
Adam82
LVL 1
Adam82Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Sorry I cannot help you specifically with Fortinet, though I am sure others can, but all VPN's have security feature that blocks local LAN access, including Internet access, for the client. The reason for this is it isolates the VPN client from the local network so that no one else, or a virus, could connect through that PC & VPN to the corporate network. Being aware of this if you want to disable this security feature you can do so by enabling split-tunneling. As to how you do this on your system I do not know. I am not familiar with Fortinet. Some VPN's allow the client end to change, but in most commercial solutions it is done within the VPN router end. Perhaps looking through your documentation for split-tunneling will help.
0
Adam82Author Commented:
<<<<<  Browing their documentation right now for split tunneling solutions...

Thanks,
0
Adam82Author Commented:
I did find on their site regarding when using the windows VPN connection to enable "Use default gateway on default network" option.  However we are using the Forticlient software on the end users PC's not the windows utility to make the connection.

If anyone knows how to do this with the Forticlient that would be great!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Rob WilliamsCommented:
Yes that would be the option for the Windows option, but as you mentioned not the Fortinet client. I would suspect the configuration would be on the router end.

I'll send a note to someone more familiar with Fortinet for you and see if they can respond.
--Rob
0
Adam82Author Commented:
Well, here is what we found out from fortinets support.  The way the connection is setup is "Phase 1" is the authentication and "Phase 2" creates the tunnel/connection.  What they say to do is at "Phase 2" create a rule to route only traffic needed for internal resources through and everything else route elsewhere.  But I must say that I am still a little confused because their explanation on how to do this is not very good and their english is very broken.

Again, if anyone has had experience with this please let me know.  I am so close I can taste it but I still can't eat.

Thanks for all your assistance Rob
0
Rob WilliamsCommented:
Perhaps they are right, but it sounds rather bizarre to me. It's usually as simple as affecting the client's default gateway, however the method varies.
Still haven't heard back from my colleague/friend.
0
Adam82Author Commented:
Any news Rob?  If not I will go ahead and close this question.
0
Rob WilliamsCommented:
I did check back with him and apparently he is not familiar with that option.
Split tunneling is definitely the option you are looking for, but as mentioned I am not familiar with Fortinet configuration.
I did find the following:
For Fortinet SSL VPN (on client):
http://kc.forticare.com/default.asp?id=1722&Lang=1
Fortinet PPTP VPN (on client):
http://kc.forticare.com/default.asp?id=323&Lang=1
Fortinet IPSec VPN (router end) probably what you are using:
http://www.broadbandreports.com/forum/r17575912-Split-Tunneling-with-FortiClient-and-ZyWALL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam82Author Commented:
Thanks Rob,

The last link on your comment appears to be what we need to do.  Unfortunately do to being pushed we rolled this out without split-tunneling.  Hopefully in the short future we will again have another chance to tinker with this.

Thanks again,
0
Rob WilliamsCommented:
Thanks Adam82.
Cheers !
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.