This article provides an example of the configuration of a dialup IPsec VPN with Split Tunneling to allow remote clients to securely access the resources of the internal protected network located behind FortiGate and at the same time, browse Internet directly from their local gateway.
When a dialup IPsec VPN client is connected to a VPN, it is effectively becoming a member of the local network located behind FortiGate. For this reason, all of its traffic (even Internet traffic) has to be forwarded inside the IPsec tunnel to FortiGate, inspected by the respective firewall policies, forwarded to Internet and then back to the client through FortiGate. As expected, this will introduce some amount of latency in Internet Browsing for a remote VPN client that has to access Internet and at the same time the protected network behind FortiGate.
The solution is to use Split Tunneling. This will allow the remote clients to access Internet considerably faster, as Internet traffic will be directly forwarded out their local gateway. Of course, this is a valid solution, only if inspection of Internet traffic that the clients initiate is not desired or imposed by corporate security policies.
The dialup IPsec VPN can be easily configured using the VPN Wizard. The only difference is that Enable IPv4 Split Tunnel checkbox should be checked and the Internal Network should be referenced in the Accessible Networks.
The following videos are available for version 5.0:
config vpn ipsec phase1-interface edit "Dialup_IPsec" set type dynamic set interface "wan1" set mode aggressive set mode-cfg enable set comments "VPN: Dialup_IPsec (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "Guest-group" set ipv4-start-ip 10.10.10.1 set ipv4-end-ip 10.10.10.10 set ipv4-netmask 255.255.255.192 set dns-mode auto set ipv4-split-include "Internal_Network" /* Local protected network that the remote dial-up IPsec clients reach */ set save-password enable set psksecret ENC XXXXXXXXXXX next end config vpn ipsec phase2-interface edit "Dialup_IPsec_P2" set phase1name "Dialup_IPsec" set comments "VPN: test (Created by VPN wizard)" next end
config firewall policy edit 1 set uuid c4f880da-82bf-51e4-42f1-07e26a76bba6 set srcintf "Dialup_IPsec" set dstintf "port1" set srcaddr "Dialup_IPsec_range" /* This is the IP address range 10.10.10.1-10 that matches the range configured under Phase 1 configuration (ipv4-start-ip & ipv4-end-ip) */ set dstaddr "all" set action accept set schedule "always" set service "ALL" set comments "VPN: Dialup_IPsec (Created by VPN wizard)" set nat enable next end
config firewall address edit "Dialup_IPsec_range" set uuid c4f347d2-82bf-51e4-ac01-a18581f0eec8 set type iprange set comment "VPN: Dialup_IPsec (Created by VPN wizard)" set start-ip 10.10.10.1 set end-ip 10.10.10.10 next end
Verification of Configuration and troubleshooting
Check the configuration as it is seen by IKE daemon:diag vpn ike config list
List IKE SA : diag vpn ike gateway list name <Phase1>
List IPsec SA: diag vpn tunnel list name <Phase1>
Check status of all tunnels (equivalent to GUI VPN monitor):get ipsec tunnel list
Check routes which were installed by IKE daemon (applicable only for dialup IPsec VPN):diag vpn ike routes list
Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . :
!!! OUTPUT OMITTED !!!
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.196.254 192.168.196.62 10 <<< Default route out local gateway. Dialup IPsec VPN routes are not present, as the client is not connected to the VPN.
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.196.254 192.168.196.62 10 <<< Default route out local gateway, is still present in the routing table of the client, forwarding Internet traffic out the local gateway. 10.10.10.0 255.255.255.192 On-link 10.10.10.1 276 <<< Route out FortiGate gateway, created after the client connects to the VPN. 10.10.10.1 255.255.255.255 On-link 10.10.10.1 276 <<< Route out FortiGate gateway, created after the client connects to the VPN. 10.182.0.0 255.255.252.0 10.10.10.2 10.10.10.1 20 <<< This is the route to reach the remote protected network behind FortiGate.
Last Modified Date: 04-05-2017 Document ID: FD36253