Solved

Newbie Fortinet IPSec VPN Question

Posted on 2008-10-20
10
4,724 Views
Last Modified: 2013-12-04
I am attempting to assist in setting up our Fortinet VPN Solution at my company.  I seem to have everything working so far (test machine can connect through the VPN tunnel over IPSec and access resources on our internal network) except that I cannot connect to the Internet after making the connection.  We are using the Forticlient software on the end users machine.

What I want to do is to route all normal Http/Ftp/Etc traffic though the end users home connection and only encrypt the data packets that are accessing internal resources.  Is this what the concentrator is for, and if so how do I set it up?  I have been looking on Fortinets support site but their documentation is a little outdated and their helpdesk is a little on the slow side.

I have ran wireshark on the test machine and monitored the virtual network addapter.  The results I get when I attempt to go to an external website are DNS query and response works, then the ICMP packet gets dropped along the causing the connection to fail.  However with the way it is now it is still going through the IPSec connection and then to our LAN and then back through our DNS server.  I would rather not have all that additional traffic if at all possible and just dump that traffic to the end users physical connection and not the virtual one.

Does this make any sense?  I suppose it does not help that I am new to VPN setup and Fortinet software.

Any help would be greatly appreciated.

Thank you,
Adam82
0
Comment
Question by:Adam82
  • 5
  • 5
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22768953
Sorry I cannot help you specifically with Fortinet, though I am sure others can, but all VPN's have security feature that blocks local LAN access, including Internet access, for the client. The reason for this is it isolates the VPN client from the local network so that no one else, or a virus, could connect through that PC & VPN to the corporate network. Being aware of this if you want to disable this security feature you can do so by enabling split-tunneling. As to how you do this on your system I do not know. I am not familiar with Fortinet. Some VPN's allow the client end to change, but in most commercial solutions it is done within the VPN router end. Perhaps looking through your documentation for split-tunneling will help.
0
 
LVL 1

Author Comment

by:Adam82
ID: 22769019
<<<<<  Browing their documentation right now for split tunneling solutions...

Thanks,
0
 
LVL 1

Author Comment

by:Adam82
ID: 22770619
I did find on their site regarding when using the windows VPN connection to enable "Use default gateway on default network" option.  However we are using the Forticlient software on the end users PC's not the windows utility to make the connection.

If anyone knows how to do this with the Forticlient that would be great!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22770673
Yes that would be the option for the Windows option, but as you mentioned not the Fortinet client. I would suspect the configuration would be on the router end.

I'll send a note to someone more familiar with Fortinet for you and see if they can respond.
--Rob
0
 
LVL 1

Author Comment

by:Adam82
ID: 22782018
Well, here is what we found out from fortinets support.  The way the connection is setup is "Phase 1" is the authentication and "Phase 2" creates the tunnel/connection.  What they say to do is at "Phase 2" create a rule to route only traffic needed for internal resources through and everything else route elsewhere.  But I must say that I am still a little confused because their explanation on how to do this is not very good and their english is very broken.

Again, if anyone has had experience with this please let me know.  I am so close I can taste it but I still can't eat.

Thanks for all your assistance Rob
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 77

Expert Comment

by:Rob Williams
ID: 22782041
Perhaps they are right, but it sounds rather bizarre to me. It's usually as simple as affecting the client's default gateway, however the method varies.
Still haven't heard back from my colleague/friend.
0
 
LVL 1

Author Comment

by:Adam82
ID: 22818199
Any news Rob?  If not I will go ahead and close this question.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 22818696
I did check back with him and apparently he is not familiar with that option.
Split tunneling is definitely the option you are looking for, but as mentioned I am not familiar with Fortinet configuration.
I did find the following:
For Fortinet SSL VPN (on client):
http://kc.forticare.com/default.asp?id=1722&Lang=1
Fortinet PPTP VPN (on client):
http://kc.forticare.com/default.asp?id=323&Lang=1
Fortinet IPSec VPN (router end) probably what you are using:
http://www.broadbandreports.com/forum/r17575912-Split-Tunneling-with-FortiClient-and-ZyWALL
0
 
LVL 1

Author Comment

by:Adam82
ID: 22909654
Thanks Rob,

The last link on your comment appears to be what we need to do.  Unfortunately do to being pushed we rolled this out without split-tunneling.  Hopefully in the short future we will again have another chance to tinker with this.

Thanks again,
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22917691
Thanks Adam82.
Cheers !
--Rob
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now