Solved

Newbie Fortinet IPSec VPN Question

Posted on 2008-10-20
10
4,744 Views
Last Modified: 2013-12-04
I am attempting to assist in setting up our Fortinet VPN Solution at my company.  I seem to have everything working so far (test machine can connect through the VPN tunnel over IPSec and access resources on our internal network) except that I cannot connect to the Internet after making the connection.  We are using the Forticlient software on the end users machine.

What I want to do is to route all normal Http/Ftp/Etc traffic though the end users home connection and only encrypt the data packets that are accessing internal resources.  Is this what the concentrator is for, and if so how do I set it up?  I have been looking on Fortinets support site but their documentation is a little outdated and their helpdesk is a little on the slow side.

I have ran wireshark on the test machine and monitored the virtual network addapter.  The results I get when I attempt to go to an external website are DNS query and response works, then the ICMP packet gets dropped along the causing the connection to fail.  However with the way it is now it is still going through the IPSec connection and then to our LAN and then back through our DNS server.  I would rather not have all that additional traffic if at all possible and just dump that traffic to the end users physical connection and not the virtual one.

Does this make any sense?  I suppose it does not help that I am new to VPN setup and Fortinet software.

Any help would be greatly appreciated.

Thank you,
Adam82
0
Comment
Question by:Adam82
  • 5
  • 5
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22768953
Sorry I cannot help you specifically with Fortinet, though I am sure others can, but all VPN's have security feature that blocks local LAN access, including Internet access, for the client. The reason for this is it isolates the VPN client from the local network so that no one else, or a virus, could connect through that PC & VPN to the corporate network. Being aware of this if you want to disable this security feature you can do so by enabling split-tunneling. As to how you do this on your system I do not know. I am not familiar with Fortinet. Some VPN's allow the client end to change, but in most commercial solutions it is done within the VPN router end. Perhaps looking through your documentation for split-tunneling will help.
0
 
LVL 1

Author Comment

by:Adam82
ID: 22769019
<<<<<  Browing their documentation right now for split tunneling solutions...

Thanks,
0
 
LVL 1

Author Comment

by:Adam82
ID: 22770619
I did find on their site regarding when using the windows VPN connection to enable "Use default gateway on default network" option.  However we are using the Forticlient software on the end users PC's not the windows utility to make the connection.

If anyone knows how to do this with the Forticlient that would be great!
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 22770673
Yes that would be the option for the Windows option, but as you mentioned not the Fortinet client. I would suspect the configuration would be on the router end.

I'll send a note to someone more familiar with Fortinet for you and see if they can respond.
--Rob
0
 
LVL 1

Author Comment

by:Adam82
ID: 22782018
Well, here is what we found out from fortinets support.  The way the connection is setup is "Phase 1" is the authentication and "Phase 2" creates the tunnel/connection.  What they say to do is at "Phase 2" create a rule to route only traffic needed for internal resources through and everything else route elsewhere.  But I must say that I am still a little confused because their explanation on how to do this is not very good and their english is very broken.

Again, if anyone has had experience with this please let me know.  I am so close I can taste it but I still can't eat.

Thanks for all your assistance Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22782041
Perhaps they are right, but it sounds rather bizarre to me. It's usually as simple as affecting the client's default gateway, however the method varies.
Still haven't heard back from my colleague/friend.
0
 
LVL 1

Author Comment

by:Adam82
ID: 22818199
Any news Rob?  If not I will go ahead and close this question.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 22818696
I did check back with him and apparently he is not familiar with that option.
Split tunneling is definitely the option you are looking for, but as mentioned I am not familiar with Fortinet configuration.
I did find the following:
For Fortinet SSL VPN (on client):
http://kc.forticare.com/default.asp?id=1722&Lang=1
Fortinet PPTP VPN (on client):
http://kc.forticare.com/default.asp?id=323&Lang=1
Fortinet IPSec VPN (router end) probably what you are using:
http://www.broadbandreports.com/forum/r17575912-Split-Tunneling-with-FortiClient-and-ZyWALL
0
 
LVL 1

Author Comment

by:Adam82
ID: 22909654
Thanks Rob,

The last link on your comment appears to be what we need to do.  Unfortunately do to being pushed we rolled this out without split-tunneling.  Hopefully in the short future we will again have another chance to tinker with this.

Thanks again,
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22917691
Thanks Adam82.
Cheers !
--Rob
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question