- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IKEv2 Dialup VPN - Split Tunnel doesn't work becau...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IKEv2 Dialup VPN - Split Tunnel doesn't work because route to internal LAN isn't pushed to
Hi,
I set up IKEv2 dialup VPN on a Foritgate 92D Cluster to enable remote users to connect to our enterprise network. Remote users are using native Windows IKEv2 VPN Clients. The tunnel can be established successfully on Windows 7/8/10.
Clients are only able to connect to our on premise internal LAN if they check the box "Use default gateway on remote network" in the VPN clients settings. If the box is unchecked, clients do not get an entry in the local routing table to the on premise internal LAN.
According to this article (http://kb.fortinet.com/kb...do?externalID=FD36253) I have to enable ipv4-split-include in phase 1 settings of the VPN interface. Although I set this parameter and referenced our internal LAN, the Route doesn't get pushed to clients.
My current settings are:
FG1 (ikev2-p1) # show config vpn ipsec phase1-interface edit "ikev2-p1" set type dynamic set interface "internal2" set ike-version 2 set authmethod signature set mode-cfg enable set ipv4-dns-server1 192.168.0.1 set ipv4-dns-server2 192.168.0.2 set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256 set dhgrp 2 14 15 set eap enable set eap-identity send-request set authusrgrp "IKEv2VPN" set certificate "cert" set ipv4-start-ip 10.64.3.1 set ipv4-end-ip 10.64.3.253 set ipv4-netmask 255.255.255.0 set ipv4-split-include "internalLAN" next end
FG1 # show firewall address internalLAN config firewall address edit "internalLAN" set uuid 4c70eafe-5e40-51e6-bee4-80c54cccf955 set subnet 192.168.0.0 255.255.255.0 next end
After establishing a VPN connection, a client is assigned and IP address as well as the DNS server according to phase 1 configuration:
IPv4 Address. . . . . . . . . . . : 10.64.3.3(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 192.168.0.1 192.168.0.2
The routing table (extract):
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.40 20 10.0.0.0 255.0.0.0 On-link 10.64.3.3 11 10.64.3.3 255.255.255.255 On-link 10.64.3.3 266 10.255.255.255 255.255.255.255 On-link 10.64.3.3 266 Public IP Fortigate 255.255.255.255 192.168.178.1 192.168.178.40 21 192.168.178.0 255.255.255.0 On-link 192.168.178.40 276 192.168.178.40 255.255.255.255 On-link 192.168.178.40 276 192.168.178.255 255.255.255.255 On-link 192.168.178.40 276
Whats odd about the routes is:
- network should be 10.64.3.0/24 instead of 10/8, as well as the broadcast address accordingly - no route to internal LAN 192.168.0.0/24
Conclusion:
Some of the phase1-interface's settings are applied to the clients (DNS server), some are applied in a "wrong" manner (network and broadcast address of the remote assigned ip addresses) and some are not applied at all (route to on premise LAN).
Any help on how to troubleshoot and resolve this issue is greatly appreciated.
Edit: using Fortigate 5.4.1
Edit:
If I'm using the GUI to enable split tunneling for this IPSec Tunnel, it tries to look up addressesn, but it is stuck at "processing" forever.
0 REPLIES 0
Related Posts
- Automatically Ban Malicious Inbound IPs using... 14 Views
- Cisco Trunk port to Fortiswitch 15 Views
- Geo location issue - Internal server... 136 Views
- Root Cause of Red Down Arrow... 73 Views
- ipv6 - internal lan interface cannot... 186 Views
Labels
-
FortiGate
6,446 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
326 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.