Hot!VPN for Windows Clients with local internet browsing

Author
DamianLozano
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
2019/08/09 11:12:12 (permalink)
0

VPN for Windows Clients with local internet browsing

Hello, thanks for your help.
 
I have a previous post with the same subject but I think it is better to dont revive the old post.
I have Fortigate 60D with an old firmware: 5.2.0
Someone give me the following link, this worked for me but with FortiClient:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD36253
I would like to know if there is another tutorial to create a VPN for Windows client instead of FortiClient, I didnt found anything like this on Internet
 
Thanks in advance.
Regards,
Damián
 
#1

12 Replies Related Threads

    orani
    Bronze Member
    • Total Posts : 59
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/09 12:11:37 (permalink)
    0
    I have never tried this but what about following the ipsec vpn for windows steps? Creating an IPsec VPN from network & internet settings of windows might work.
    #2
    DamianLozano
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 04:57:52 (permalink)
    0
    Orani, thanks for your response.
    Every time I created an IPSec VPN in fortigate, the clients allways navigate trough the remote fortigate (with the proper filter rules).
    I think I tried just enabling "Split tunnel" but it never worked
    If someone has a tutorial would be nice.
    I just noticed the following:
    - I have no IPSec template without forticlient
    - If I select "Custom VPN Tunnel (No Template)", after 2 seconds, the fortigate logout itself
     
    The "Dialup - Android (Native L2TP/IPsec)" will also work for Windows clients? 
     
    Thanks, regards,
    Damián
    post edited by DamianLozano - 2019/08/12 05:26:57
    #3
    sw2090
    Gold Member
    • Total Posts : 374
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 07:25:37 (permalink)
    0
    the FortiGate has to do Split Tunneling not the client.
    Without split tunneling ALL traffic will navigate through the fortigate since the client (no matter if forticlient or other) will change your default route.
    With split tunneling enabled and set to a group of networks on the fortigate the client will set a network route for every of those networks and leave the default route untouched.
    So internet traffic will navigate the usual way and only traffic to those networks will navigate through the fortigate.
    This is not a client isse.
    #4
    DamianLozano
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 07:31:59 (permalink)
    0
    Thanks SW2090,
     
    I know that it depends on the fortigate, sorry if I didnt explain this
    I just want to know how to configure the fortigate to accomplish this with a IPSec VPN
    Which kind of VPN should I create? Should I use a template? Which template?
     
    Thanks
    Regards
    Damián
    #5
    sw2090
    Gold Member
    • Total Posts : 374
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 07:37:26 (permalink)
    0
    I cannot tell you. We use ipsec with forticlient but also some OSX Client on Mac. On our FGT it is just set up as standard ipsec tunnel with split tunneling enabled.
    The profile might depend on the vpn client you use...
    #6
    sw2090
    Gold Member
    • Total Posts : 374
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 07:39:53 (permalink)
    0
    Alas I set it up as dial up tunnel with the wizzard most times but it has afterwards to be converted to a custom ipsec tunnel to be able to enable and configure split tunneling.
    #7
    DamianLozano
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 08:36:34 (permalink)
    0
    SW2090, thanks for your response.
     
    Sorry, when I create a VPN the following options appears:
    - Dialup - FortiClient (Windows, Mac OS, Android)
    - Site to Site - FortiGate
    - Dialup - iOS (Native)
    - Dialup - Android (Native L2TP/IPsec)
    - Dialup - Cisco Firewall
    - Site to Site - Cisco
    - Custom VPN Tunnel (No Template) 
     
    Which one should I use?
    The last option (Custom VPN Tunnel) is not working because when I select it and click "next", after about 3 seconds the fortigate automatically log out
    Do you know why? Should I use cli instead?  I think I would need a guide to create it trough cli.
     
    Thanks in advance.
    Regards
    Damián
    #8
    sw2090
    Gold Member
    • Total Posts : 374
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/12 23:15:50 (permalink)
    0
    I use Dialup - Forticlient as profile. 
    You have to convert it to a custom vpn tunnel afterwards because you won't see split tunneling if you don't.
    #9
    DamianLozano
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/13 04:47:05 (permalink)
    0
    Thanks,
    Converting the VPN to custom will allow me to connect from Windows client without FortiClient?
    This is what I wanted from the begining
     
    Regards,
    Damián
    #10
    sw2090
    Gold Member
    • Total Posts : 374
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/13 05:21:43 (permalink)
    0
    hm looks to as if there is two problems here:
     
    the windows 10 internal vpn client can only do l2tp over ipsec but not native ipsec plus it lacks a lot of options one might need.
    Thus I found a kb article about connecting windows 10 to a FGT without FortiClient: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44157 .
    Maybe this helps you...
    #11
    DamianLozano
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/13 05:50:20 (permalink)
    0
    Thanks SW2090,
    I will take a look
    #12
    sw2090
    Gold Member
    • Total Posts : 374
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN for Windows Clients with local internet browsing 2019/08/13 07:06:08 (permalink)
    0
    hm I took a closer look at thhis since I am interested in it to.
    In fact you cannot use the fortigate's split tunneling feature with an ll2tp tunnel and win10 cannot do native ipsec.
    What you can do is create a vpn like said in the kb article I linked in my last post.
    On your win10 client you can then afterwards go to the properties of the vpn interface (you see it in the networ adaptor snap in of the control panel), then go to networking and then to advanced and deselect the checkbox that reads something linke "use default gateay" (there is only one fitting *g*). This will prevent your internet traffic to go over the vpn. 
     
    If you want to access more then the subnet you used in your vpn you will have to create the routes on the win10 client yourself since you cannot push them like in ipsec. Also this will require additional policies on your FGT.
     
    you could write a batchfile that does that:
     
    rasdial <vpn> <user> <pass> to connect vpn
    route add <subnet> MASK <netmask> <interfaceip>
     
    You might also need to write one for disconnecting:
     
    rasdial <vpn> /DISCONNECT
    route delete <subnet>
     
    since disconnecting the vpn will not withdraw them routes.
    You need to specify user and pass to rasdial to connect even if you saved them in your vpn connection.
     
    This worked fine here...
     
    hth
    Sebastian
    #13
    Jump to:
    © 2019 APG vNext Commercial Version 5.5