Maintain local network shares while connected to VPN

I am running Windows 7 Ultimate, on which I share several folders on my home network.
While connected to my work IPSec VPN (using Forticlient) all access to my local network is lost (by design, I know).
Is there any way I can still allow access to my shared folders while connected?
It may be worth mentioning that I have two network cards.

I know the usual answer is split tunneling.
However, I believe this has to be enabled on the server side (which I find unlikely since it is usually considered a security hole).
I am looking for alternatives, hoping to leverage the second network card somehow.
So far my research has been fruitless.
LVL 1
bejhanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You are already using IPsec and split tunneling comes with IPsec. The only "security" hole is careless use of internet outside the tunnel. The tunnel remains secure and your server remains secure.

I use Juniper Netscreen IPsec and over more than a decade never had any issues with split tunneling. It will solve your problem neatly.

You can experiment with your network cards and give a high metric to the tunnel and low metric to the other card. That may do what you want. Metrics are in the Advanced Properties of the NIC configuration.
0
bejhanAuthor Commented:
Thanks for the reply, John.

You are saying that IPSec VPN has split tunneling built in? It's not something that has to be enabled on the server side?

Can you explain the effect of the metric configuration?
0
JohnBusiness Consultant (Owner)Commented:
With respect to the first question, if you are using a Fortigate client, there is probably an option in the client for split tunneling. There is Juniper client software and NCP Secure Entry software.

With respect to Metrics, go to the Properties of the Network Card (Right click on the connection and select Properties), go to IPv4 and click on properties. In the General tab, click on Advanced and Metric is at the bottom. Default is Automatic, but you can change it.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Split tunneling is NOT part of IPSec VPN, that is a misinformation. IPSec VPN just does the encryption, authentication and allows for exchange of "protected" or "interesting" networks - still just an info, though.

Split tunneling is then done in a higher network level - in the client's driver. There are virtual NIC drivers filtering for allowed networks, ignoring any routing but the necessary one for the (encrypted) VPN stream.
There are other drivers which just act as additional NICs. Those can be "fooled" by using routing, metrics, changing gateways etc.

I, for myself, do not consider split tunneling unsafe. If my client PC is infected, it is, and not having split tunneling does not change that. Attacking software often sits in the background to collect interesting info for sending later, and that still works without split tunneling.
Yes, it is true that is easier to get attacked if Internet is used without much care while being connected. But if you know your clients well, it might be worth it. If you don't, you still have the option to switch on split tunneling for dedicated users - it is just some more effort on the VPN device to keep different dial-in configs available, but no real obstacle. IMHO you should always have a privileged login available anyway.

The FortiGate client supports split tunneling. I can only look up at the SSL client, and there is no client option; I assume it is the same for the IPSec client. Only the server can set up (= allow) split tunneling then.
0
JohnBusiness Consultant (Owner)Commented:
Split tunneling is NOT part of IPSec VPN, that is a misinformation.  <-- Yes. I was merely saying that all the IPsec clients I have used offer split tunneling. I don't use Fortigate however.
0
bejhanAuthor Commented:
The FortiGate client supports split tunneling. I can only look up at the SSL client, and there is no client option; I assume it is the same for the IPSec client. Only the server can set up (= allow) split tunneling then.
As you suggested, I could not find an option for split tunneling in Forticlient.

Split tunneling is then done in a higher network level - in the client's driver. There are virtual NIC drivers filtering for allowed networks, ignoring any routing but the necessary one for the (encrypted) VPN stream.
There are other drivers which just act as additional NICs. Those can be "fooled" by using routing, metrics, changing gateways etc.
How can I determine which implementation I'm dealing with?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Set a route for a working address with a non-working gateway (e.g. your local router). If you can still ping that address, the client does not intercept traffic.
0
bejhanAuthor Commented:
Set a route for a working address with a non-working gateway (e.g. your local router). If you can still ping that address, the client does not intercept traffic.

I added a route to an IP address on my work network through my local router gateway for both my actual NIC and my virtual NIC.

ROUTE ADD 198.161.247.176 MASK 255.255.255.255 192.168.0.1 IF 21
ROUTE ADD 198.161.247.176 MASK 255.255.255.255 192.168.0.1 IF 11

Open in new window


However, I could no longer ping the IP address.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I forgot you cannot have access to your local network ATM. Or am I mistaken? Does a ping work, but no file or printer access?
0
JohnBusiness Consultant (Owner)Commented:
See if this Fortigate link helps you with Split Tunneling.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36253

All I have to do (different clients) is to enable it. No special routing required.
0
bejhanAuthor Commented:
I did a little experimentation to give you better answers. Here are my findings:
I can access other Windows computer on my network by name (ping and file share).
I can't access other Windows computer on my network by IP (ping).
Other Windows computers on my network can access me by name (ping and file share).
Other Windows computers on my network can't access me by IP (ping).
SMB clients (ES File Explorer for Android, OpenELEC for Rapsberry Pi, Patriot Box Office) on my network can't access me (file share).

My goal is to allow my SMB clients to access my file shares while connected to VPN.
0
bejhanAuthor Commented:
See if this Fortigate link helps you with Split Tunneling.
This article indicates that server changes are necessary.
0
JohnBusiness Consultant (Owner)Commented:
Fortigate is very different than the (more or less standard) stuff I use. Try changing at the server. As we have both pointed out, split tunneling does not increase your risk.
0
bejhanAuthor Commented:
I think the fact that my Windows machine are still accessible via name indicates the split tunnelling is already occurring in some form, doesn't it?

Also, I do not have complete control over the server. I will have to get this change approved by my IT manager which may not happen.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Hold on. Your details in http:#a40871389 essentially say that access by IP does not work, but by name. That is something strange, and cannot be related to the VPN client blocking generic access. Maybe a bug.
0
JohnBusiness Consultant (Owner)Commented:
Accessible by Name and not IP is indeed strange. Normally it is the other way around and that would reflect DNS issues.

Split Tunneling was only to address your first post (connection outside of the tunnel).
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
After doing some research, I'm still clueless. I cannot imagine what should cause the behaviour you describe. Because of that, my next step would be to run a network capture (with MS NetMon or WireShark), best on both your machine and another local PC simultanously, and then record the exchange.
0
bejhanAuthor Commented:
I had not done enough experimentation when I first posted and falsely generalized my problem.
I am also quite surprised as to being able to access by name but not by IP.

It seems that host name resolution is occurring through IPv6 instead of IPv4.
C:\Users\Bejhan>ping nilam-pc

Pinging Nilam-PC [fe80::c81b:13d1:b7c7:354b%11] with 32 bytes of data:
Reply from fe80::c81b:13d1:b7c7:354b%11: time=2ms
Reply from fe80::c81b:13d1:b7c7:354b%11: time=3ms
Reply from fe80::c81b:13d1:b7c7:354b%11: time=2ms
Reply from fe80::c81b:13d1:b7c7:354b%11: time=2ms

Ping statistics for fe80::c81b:13d1:b7c7:354b%11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

Open in new window

0
JohnBusiness Consultant (Owner)Commented:
Most internal networks are still using IPv4. Make sure your NIC's are using IPv4. I have never seen a need to disable IPv6 but you might try disabling it, temporarily, to see if that helps.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
That makes more sense - IPv6 works, IPv4 does not. Of course you are certain that it works without having the VPN connection established?
0
bejhanAuthor Commented:
Yes, IPv4 works when VPN is not connected.
C:\Users\Bejhan>ping nilam-pc

Pinging nilam-pc [192.168.0.57] with 32 bytes of data:
Reply from 192.168.0.57: bytes=32 time=839ms TTL=128
Reply from 192.168.0.57: bytes=32 time=841ms TTL=128
Reply from 192.168.0.57: bytes=32 time=2ms TTL=128
Reply from 192.168.0.57: bytes=32 time=4ms TTL=128

Ping statistics for 192.168.0.57:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 841ms, Average = 421ms

Open in new window


So I guess this means the solution is to somehow enable IPv6 on the SMB clients (if they even support it)?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Is 198.161.247.176 really a private address of the remote network? Your local network is 192.168.0.0/24, which often conflicts with office or SOHO networks.
0
bejhanAuthor Commented:
Is 198.161.247.176 really a private address of the remote network?
Yes it is, the remote network has addresses under both the 10.0.0.x and 198.161.247.x subnets.
Your local network is 192.168.0.0/24, which often conflicts with office or SOHO networks.
Could this be the reason that IPv4 does not work when connected?
0
JohnBusiness Consultant (Owner)Commented:
the remote network has addresses under both the 10.0.0.x and 198.161.247.x subnets  <-- Why? Seems a bit complicated.
0
bejhanAuthor Commented:
It is indeed complicated and sometimes causes issues. Our last network admin transitioned most of the network to the 10.0.0.x subnet but left some servers on the 198.161.247.x subnet. He then took another job leaving us in this purgatory. We now have a new network admin, so hopefully he will move us completely to the 10.0.0.x subnet.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Your local network is only an issue if the office VPN pushes a route for this network. Check your routing table while connected, and compare with while unconnected. Anything obvious, e.g. two 192.168.0.0/24 routes?
0
bejhanAuthor Commented:
Connected to VPN:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Bejhan>route print
===========================================================================
Interface List
 11...e8 40 f2 c3 37 8b ......Intel(R) 82574L Gigabit Network Connection
 21...00 09 0f fe 00 01 ......Fortinet virtual adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.180     30
          0.0.0.0          0.0.0.0         10.5.6.2         10.5.6.1     20
         10.5.6.0    255.255.255.0         On-link          10.5.6.1    276
         10.5.6.1  255.255.255.255         On-link          10.5.6.1    276
       10.5.6.255  255.255.255.255         On-link          10.5.6.1    276
    96.53.114.130  255.255.255.255      192.168.0.1    192.168.0.180     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link     192.168.0.180    266
    192.168.0.180  255.255.255.255         On-link     192.168.0.180    266
    192.168.0.255  255.255.255.255         On-link     192.168.0.180    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.180    266
        224.0.0.0        240.0.0.0         On-link          10.5.6.1    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.180    266
  255.255.255.255  255.255.255.255         On-link          10.5.6.1    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    266 fe80::/64                On-link
 21    276 fe80::/64                On-link
 21    276 fe80::24a3:c634:b930:d61a/128
                                    On-link
 11    266 fe80::2cbf:c457:25c2:5a6b/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
 21    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window


Not connected:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Bejhan>route print
===========================================================================
Interface List
 11...e8 40 f2 c3 37 8b ......Intel(R) 82574L Gigabit Network Connection
 21...00 09 0f fe 00 01 ......Fortinet virtual adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.180     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link     192.168.0.180    266
    192.168.0.180  255.255.255.255         On-link     192.168.0.180    266
    192.168.0.255  255.255.255.255         On-link     192.168.0.180    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.180    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.180    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    266 fe80::/64                On-link
 11    266 fe80::2cbf:c457:25c2:5a6b/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window

0
bejhanAuthor Commented:
I may be mistaken but wouldn't the following cause all traffic to pass through the VPN (due to metric of VPN gateway being higher than that of local gateway)?
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.180     30
          0.0.0.0          0.0.0.0         10.5.6.2         10.5.6.1     20

Open in new window

0
JohnBusiness Consultant (Owner)Commented:
Does your Fortinet local end terminate in only one IP range ?  It should, I think.

Remote Internal IP -> Remote External IP -> Internet <- Local External IP <- Local Internal IP range (for multiple devices).

Again your setup seems really complicated.
0
bejhanAuthor Commented:
I tried lowering the metric for the 0.0.0.0 for my local gateway but it just resulted in loss of all connectivity.

Does your Fortinet local end terminate in only one IP range ?
I believe it is always 10.5.6.x.
0
JohnBusiness Consultant (Owner)Commented:
So then what does the 192 subnet have to do the VPN?
0
bejhanAuthor Commented:
Nothing, it is my local network subnet.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The default route redirects all traffic to the FortiGate. But as your local route is more specific, it is used in preference (despite the high metric). Metric is used only for exactly same target range (same rout but different gateway).
I don't think it helps, but it is worth a try. Define two routes for Internet traffic:
  0.0.0.0 mask 128.0.0.0 192.168.0.1
  128.0.0.0 mask 128.0.0.0 192.168.0.1
0
bejhanAuthor Commented:
Adding those routes resulted in loss of all connectivity.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Then the FortiGate driver applies filtering, and you have to stop it to do so - by enabling split tunneling.
0
bejhanAuthor Commented:
I looked at the server VPN configuration and saw no such option. Maybe I was looking in the wrong place. Either way I'll have to get the change approved.

I suppose my alternative is having my SMB clients use IPv6.
0
bejhanAuthor Commented:
My solution is to run my VPN client inside of a VM.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
That is a workaround, no solution ;-).
0
bejhanAuthor Commented:
In the absence of a solution, the workaround acts as such. Using a VM also solves another nuisance, the necessity to disable torrents before connecting to VPN.

I will still award you guys points because I really appreciate your efforts in trying to solve this difficult problem.
0
bejhanAuthor Commented:
No client side solution could be found, the only option I was left with was my workaround.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.