Helpful ReplyHot!IPsec VPN (FortiClient), with split tunneling, communicate in both directions

Author
DamianLozano
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
2019/09/09 11:42:02 (permalink)
0

IPsec VPN (FortiClient), with split tunneling, communicate in both directions

Hello,
 
I tried several VPN setting and have a lot of problem with all of these.
The requirements are many:
* Navigate through the local gateway (Split tunneling)
* Communicate from lan to remote clients
* Communicate from remote clients to lan
 
I have created finally a VPN for FortiClient, following the Wizard, and using split tunneling.
From the fortigate, I can ping to everything.
From a remote device, I can ping to local device
From a local device, I cannot ping to remote device.
 
The wizard just created for me a rule, which allows traffic from VPN clients to Local Clients, with the NAT enabled
I created the reverse rule, to allow everything from lan to VPN clients (using the VPN interface as outgoing interface, and using the VPN range as destination addresses), I tried with and without NAT, just in case, still the same: ping to remote devices never returns
 
Any idea?
Thanks in advance.
Regards,
Damián
#1
orani
Silver Member
  • Total Posts : 101
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/09 12:01:49 (permalink)
0
Maybe i am wrong but remote devices does not have a gateway, so the answer cannnot be routed
#2
DamianLozano
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/09 12:11:15 (permalink)
0
Hello and thanks,
 
Is there another way to accomplish the 3 requirements between a Windows device and a Fortigate?
* Navigate through the local gateway (Split tunneling)
* Communicate from lan to remote clients
* Communicate from remote clients to lan
 
Without split tunneling, I will have a gateway, but I will force users to access Internet from the fortigate, which is not desired (poor performance, I dont need to users in another country come to my router to open any web page)
With site to site VPNs should work, but I dont have a fortigate in remote sites.
 
Any other idea?
Thanks,
Damián
#3
sw2090
Gold Member
  • Total Posts : 470
  • Scores: 23
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/10 02:38:27 (permalink)
0
Check two things:
 
you enabled split tunneling but did you include the remote subnet? You need to do that because as Orani and you wrote with split tunneling you don't have a gw/defaut router via vpn. So you need a route for each subnet or host you want to reach via the vpn. 
Best practice btw is to create an address group object and put all subnets/hosts you want to be able to reach via the vpn into this group. Then enable split tunneling and set it to this address group.
 
Second: check if you have all required policies! Also mind the order of the policies. FGT are FiFo for policies. The first one that matches the packet wins it :)
#4
DamianLozano
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/10 04:57:38 (permalink)
0
Hello, thanks for your response.
 
What do yo mean with "did you include the remote subnet?"?
For example, if a remote user (forticlient user) has 192.168.50.0/24 in his local subnet, should I include this subnet? Where?
It is weird, because, maybe I dont know all subnet where the users will connect with forticlient
I have included all local subnets in the split tunneling (In a group)
Also allowed everithing between "VPN->Internal1" and "Internal1->VPN"
In the remote PC I got routes for the local network, using the IP on the VPN adapter, and this IP is reachable
I will chech with other VPNs maybe.
 
Thanks
Regards
Damián
#5
sw2090
Gold Member
  • Total Posts : 470
  • Scores: 23
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/10 23:44:51 (permalink) ☄ Helpfulby ishan.senevirathne 2019/09/11 02:51:40
0
I meant what you already have. 
I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.
To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.
I don't need local clients to communicate with vpn clients.
#6
DamianLozano
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/13 07:31:59 (permalink)
0
Ok, I did not find a way to accomplish this
I am trying now to create a L2TP+IPsec tunnel in another device (Not fortinet), inside the local network.
So, I need to forward all L2TP+IPsec traffic to the local IP
I think I should re-direct UDP port 500, 1701 and 4500 (No problem with this)
Also need to re-direct all esp/ah protocols traffic, which I think it is no TCP nor UDP (a different protocol)
How do I re-direct this protocol?
 
Thanks
Regards
Damián
post edited by DamianLozano - 2019/09/13 08:12:20
#7
DamianLozano
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/19 12:23:55 (permalink)
0
Ok, I just realiced about the following:
- With the SSL VPN for FortiClient, if I disable split tunneling, it works: I can access from remote to local computers and from local to remote computers.
- I re-enable split tunneling and I stop pinging from local to remote computers, I still can ping from remote to local computers
- I tried by selecting many options in "Accessible networks", in the split tunnel section, no luck
- It is still required to navigate through the local gateway
 
Anyone know what could be happening here?
Is there other way but split tunneling?
I apreciate any help.
 
Regards,
Damián
#8
DamianLozano
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
Re: IPsec VPN (FortiClient), with split tunneling, communicate in both directions 2019/09/30 10:36:17 (permalink)
0
Hello,
I finally solved by myself
Solution:
1- Make a Forticlient VPN tunnel following wizard (this creates an interface based vpn)
2- Enable split tunnel during the wizard
3- Set IP to the VPN interface (In the same subnet than VPN clients, different subnet than each other), through cli, because the interface does not shows in system->network->interfaces
4- Set remote-ip to the VPN interface, also by cli (same than ip address)
5- Wizards create 1 rule for VPN -> Internal, I needed to create the reverse rule: Internal -> VPN
6- Added a blackhole route to the VPN clients subnet with low priority
 
The 6º step solved the issue, with this I can access from local network to remote devices too.
With this I could accomplish my 3 requirements: Access through the VPN in both ways and navigate through local gateway
 
 
#9
Jump to:
© 2019 APG vNext Commercial Version 5.5