Hot!VPN for Windows Clients with local Internet browsing

Author
DamianLozano
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
2019/04/09 08:12:41 (permalink)
0

VPN for Windows Clients with local Internet browsing

Hello everyone!
 
I hope anyone can help me with this:
I have a L2TP+IPSec VPN (Dialup) configured in a Forti and Windows Clients are connecting fine.
I want to these Windows client can use Internet through theirs local default gateways, I dont want to clients navigate through the remote Fortinet.
Is it posible to create a VPN which I can use to connect from Windows OS to remote network through Forti but leaving the same local gateways?
 
Thanks in advance.
Regards,
 
#1

15 Replies Related Threads

    SecurityPlus
    Gold Member
    • Total Posts : 305
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/08/11 18:41:34
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/04/10 02:23:29 (permalink)
    0
    Have you considered Split Tunneling?.

    Here is an article about the technology:
    https://kb.fortinet.com/k....do?externalId=FD36253

    FWF30E, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
    FortiOS 5.2, 5.4, 5.6, and 6.0
    FortiSwitch FS-224E-POE
    FAP-221E, FAP-221C
    #2
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/04/10 07:50:31 (permalink)
    0
    Thanks a lot,
    It seems it is what I need
    Need some time to configure it
    Regards
    #3
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/04/25 04:51:20 (permalink)
    0

    Hello,
     
    I used this link to set up a new vpn
    The VPN was created but when I see the the VPN properties, in the network section, there is a field named "Accessible Networks", which is in the "Split tunnel" part, this field does not show anything, just a Little circle like searching for something.
    I upload a screenshot to Google photos but it seems it is not supported for this.
    I used the cli to remove the "Accessible Networks" but when I try to add a network, nothing appear, it only allow me to add a new network/ip range, I tried to créate a new address object but neither appears as selected.
     
    Any Idea?
     
    Thanks in advance
    Regards!
    #4
    sw2090
    Platinum Member
    • Total Posts : 594
    • Scores: 39
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/04/25 07:11:33 (permalink)
    0
    yes if you enable split-tunneling you can enter into accessible networks either the network you want or even a group of networks using address objects. Then upon connecting the VPN with FortiClient (or what ever you use) you get a network route for every of these networks. Your default route will not be touched. So you will have internet as you have without vpn and be able to reach remote networks.
     
    Without split tunneling the vpn will change your default route to the remote FGT upon connecting to enable you to get further.
     
    #5
    sw2090
    Platinum Member
    • Total Posts : 594
    • Scores: 39
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/04/25 07:13:26 (permalink)
    0
    Did you use the wizzard? Then you might have to convert your vpn to a normal tunnel to have al options available.
     
    #6
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/05/21 12:52:33 (permalink)
    0
    Hello
    I tried to change the VPN to custom, but still the same
    In "Accessible networks" appears a circle with dots spinning
     
    Regards
    #7
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/07/15 13:41:51 (permalink)
    0
    Hello,
    I have created the same VPN in another Forti as:
    https://kb.fortinet.com/kb/viewContent.do?externalId=FD36253
    I set it to custom
    I got forticlient 5.2 for a forti OS 5.2
    I configured the forticlient with the default parameters, as ipsec
    I can connect but I can not use Internet, I did not add a rule in the forti to go out to Internet because I want the forticlient use the local gateway to Internet access
    Here the code:
    config vpn ipsec phase1-interface
        edit "VPN_Fib"
            set type dynamic
            set interface "wan1"
            set mode aggressive
            set mode-cfg enable
            set proposal aes128-sha256 aes256-sha256
            set comments "VPN: VPN_Fib (Created by VPN wizard)
     
            set xauthtype auto
            set authusrgrp "VPN-Users"
            set ipv4-start-ip 172.20.5.64
            set ipv4-end-ip 172.20.5.70
            set ipv4-netmask 255.255.252.0
            set dns-mode auto
            set ipv4-split-include "-Clients172"
            set save-password enable
            set psksecret ENC JS+5e/6wwAFQk7sDdTBv9/ZGrZcZzVyErqo3YGwehXeDNXZNHnqqeVHB0NgAlNCKezaOjXHB1gOGwQaJyLxBr+FpNvcEPFyFWhbAQ9g+H79LfTMd67wiMV1uUxNpfKUd5ctlp6t4wrs/hodnVto5DkEs2pP4vdU4hXDScqFmFKReQWr155Fjn0xd/e9u0DTjd/5MGQ==
        next
    end
    Any Idea?
    Thanks in advance
    Regards
    config vpn ipsec phase1-interface
        edit "VPN_Fib"
            set type dynamic
            set interface "wan1"
            set mode aggressive
            set mode-cfg enable
            set proposal aes128-sha256 aes256-sha256
            set comments "VPN: VPN_Fib (Created by VPN wizard)
    Para utilización de telefonía IP desde Chile"
            set xauthtype auto
            set authusrgrp "VPN-Users"
            set ipv4-start-ip 172.20.5.64
            set ipv4-end-ip 172.20.5.70
            set ipv4-netmask 255.255.252.0
            set dns-mode auto
            set ipv4-split-include "-Clients172"
            set save-password enable
            set psksecret ENC JS+5e/6wwAFQk7sDdTBv9/ZGrZcZzVyErqo3YGwehXeDNXZNHnqqeVHB0NgAlNCKezaOjXHB1gOGwQaJyLxBr+FpNvcEPFyFWhbAQ9g+H79LfTMd67wiMV1uUxNpfKUd5ctlp6t4wrs/hodnVto5DkEs2pP4vdU4hXDScqFmFKReQWr155Fjn0xd/e9u0DTjd/5MGQ==
        next
    end
    #8
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/07/16 06:35:03 (permalink)
    0
    I realliced that when I connect to VPN, the default route in Windows clients, for 0.0.0.0/0 for VPN has 1 in metric
    I change the metric on IPv4 settings but it sets again to 1 automatically the next time I connect
    I think this is the problem.
     
    Any Idea?
    Thanks in advance
    #9
    sw2090
    Platinum Member
    • Total Posts : 594
    • Scores: 39
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/07/16 23:39:41 (permalink)
    0
    without split tunneling your default route will be changed to the vpn once you connect and reverted back when vpn disconnects again.
     
    #10
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2019/07/17 04:48:05 (permalink)
    0
    But split tunneling is enabled
    I followed https://kb.fortinet.com/kb/viewContent.do?externalId=FD36253
     
    post edited by DamianLozano - 2019/07/17 04:50:44
    #11
    mr_vaughn
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/06 11:13:49
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2020/04/01 18:37:05 (permalink)
    0
    it is called "split tunnel" .You specify the IP subnets that the are routed across the IPSEC VPN to your site. and this get injected into the client apon connection of IPSEC VPN. so traffic is routed to internet or across VPN.
    in Windows you can see this from CMD when executing "route print"
     
     
    #12
    AlexL
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/03 22:40:06
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2020/04/05 05:59:01 (permalink)
    0
    Hi guys!
     
    I have a similar problem, a set of several networks is included in ipv4-split-include (172.22.0.0/16, 172.25.0.0/16, 172.29.0.0/16 and others), but this does not work, clients (Windows VPN IKEv2) by still get one route, regardless of whether networks are added to ipv4-split-include or not:
    172.25.0.0 255.255.0.0 On-link 172.25.151.51 36
     
    FortiOS 6.0.9

    What's wrong? How can I change this behavior?
     
    Configured under the article https://kb.fortinet.com/k....do?externalId=FD36253
    #13
    it@towpt.com
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/26 04:12:11
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2020/04/08 06:55:24 (permalink)
    0
    Hi,
     
    I'm hoping someone can please help me with this related problem.
     
    I have an issue with split-tunnelling on a dialup IPSec VPN.
     
    I have a working configuration which I set-up via the wizard. Within that I have enabled split tunnelling and then entered the sub-net I would like access to with appropriate policies.
     
    Clients use the ForClientVPN to connect.
     
    When connected via this VPN tunnel, everything works as it should.  Access to the sub-net specified above is routing through the VPN tunnel, but anything else goes directly from the remote client. Great.
     
    I have set up another tunnel via the wizard with exactly the same settings, except the accessible sub-net.  But I had to convert it to a custom configuration as I needed to add a PEERID to distinguish it from the first tunnel (I'm using the same Public IP on the FW for both).  Although I have the split-tunnelling configured the same way on this tunnel, all traffic is being routed via the tunnel and not just that to the specified sub-net.
     
    I have been checking this over and over and have found that an entry is being added to the routing table on the client:
     
    Net Dest        Netmask          Gateway                   Interface                         Metric
    0.0.0.0          0.0.0.0            192.168.29.232         192.168.29.231               2
     
    as well as the default gateway which has a Metric of 50.
     
    I have tried deleting this, but this causes the VPN connection to drop completely.
     
    Note, that a similar entry is not added when using the wizard created tunnel that does work.
     
    Please help as this is driving me crazy!
     
    Thanks in advance.
     
    #14
    suthomas1
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/07 06:08:23
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2020/04/08 17:52:11 (permalink)
    0
    For split tunneling, under the portal that you all have created set network addresses that you want to be through the tunnel. One of the mistakes that i have noticed in a clients place was , accidentally they included 0.0.0.0 in it.
     
    example below.
     
    config vpn ssl web portal
    edit xyz >>>> name of your portal
    set split-tunneling-routing-address 192.168.100.0/24, 192.168.101.0/24 >>>> address that you want through tunnel
     
    You will need to create these addresses in the address book first to use them in here.
    Importantly, once you have done all these and saved the config, get the users to disconnect from vpn & again reconnect back to check.
    route print or similar commands depending on OS will help you confirm this.
     
    Hope it helps.
    #15
    it@towpt.com
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/26 04:12:11
    • Status: offline
    Re: VPN for Windows Clients with local Internet browsing 2020/04/09 04:36:50 (permalink)
    0
     
    Update : I have now got this working.
     
    I did have the network addresses specified as @suthomas1 says above.
     
    The issue in my case was actually related to how the network IP range is specified for the Address object.  It appears it must be specified as a "subnet" and not as a "range". 
     
    If this is not the case then appropriate routes are not created in the local routing table when the VPN connection is made.
     
    I hope this helps someone else!
     
     
    #16
    Jump to:
    © 2020 APG vNext Commercial Version 5.5