Hot!Dynamic routes for FortiCli IPsec VPN

Author
DamianLozano
Bronze Member
  • Total Posts : 36
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
2020/04/03 13:22:01 (permalink)
0

Dynamic routes for FortiCli IPsec VPN

Hello,
 
I have a IPsec VPN for FortiClient created the past year, it was working fine with split-tunnel
It seems that about 15 days ago, when the quarantine started in Argentina, for some unknown reason, the clients can ping to the VOIP Router but can NOT ping to other VOIP devices in the same subnet
We dont know what could we do to modify this behavior
For example:
ping 172.20.35.1 -> succesful
ping 172.20.35.160 -> failed
 
With traceroutes to both addressess, the first jump to 172.20.35.1 was 172.20.15.1 (IPsec VPN Interface IP Address in the Fortigate), but the first jump for 172.20.35.160 was my local gateway
 
So I checked the routes in the client side and I realliced that I just had a route for 172.20.35.1/32 instead of 172.20.32.0/22
This route is dynamically created, so Fortigate is giving this route to clients, where can I change this?
 
Thanks in advance.
Regards,
Damián
 
#1

4 Replies Related Threads

    JuanPabloPWR
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/31 11:59:46
    • Status: offline
    Re: Dynamic routes for FortiCli IPsec VPN 2020/04/05 10:19:35 (permalink)
    0
    Damian sos de argentina? veo que hace tiempo usas fortigate, tengo un tema parecido al tuyo con la VPN que no accede a una red generada por un tunel
    #2
    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Dynamic routes for FortiCli IPsec VPN 2020/04/06 00:41:30 (permalink)
    0
    You can enable "split tunneling" in the FC, and add a route to that subnet. Traffic to this subnet will then always use the tunnel. NOTE: traffic to other destinations, like any host on the internet, will NOT use the VPN anymore! If you want that you have to disable split tunneling (that is, a default route is inserted pointing to the /32 gateway).

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Dynamic routes for FortiCli IPsec VPN 2020/04/06 05:59:03 (permalink)
    0
    Hola Juan Pablo,
     
    Si, soy de Argentina, si queres contame que tipo de VPN tenes configurada y cual es el problema puntual y si te puedo ayudar te ayudo.
     
    Saludos,
    Damián
    #4
    DamianLozano
    Bronze Member
    • Total Posts : 36
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: Dynamic routes for FortiCli IPsec VPN 2020/04/06 06:05:53 (permalink)
    0
    How can I enable "split tunneling" in the FortiClient? it does not have any option to be enabled and the network adapter for FortiClient does not have the option to "use default gateway in the remote network"
    Also, I dont know which gateway should I use for router.
    I assigned an IP to VPN interface in the Fortigate, but Fortigate is not assigning his IP to clients on dynamic routes, it is assigning the next IP on pool. 
    For example:
    Fortigate assign 172.20.15.68 to client and assign 172.20.15.69 as gateway in routes
    Fortigate assign 172.20.15.69 to client and assign 172.20.15.70 as gateway in routes
     
    Any Idea?
    Regards,
    Damián
     
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5