Technical Note: FortiClient Dialup IPsec VPN (Split Tunneling)
Products
FortiGate v5.0
FortiGate v5.2
FortiGate v5.4
Description
This article provides an example of the configuration of a dialup IPsec VPN with Split Tunneling to allow remote clients to securely access the resources of the internal protected network located behind FortiGate and at the same time, browse Internet directly from their local gateway.

When a dialup IPsec VPN client is connected to a VPN, it is effectively becoming a member of the local network located behind FortiGate. For this reason, all of its traffic (even Internet traffic) has to be forwarded inside the IPsec tunnel to FortiGate, inspected by the respective firewall policies, forwarded to Internet and then back to the client through FortiGate. As expected, this will introduce some amount of latency in Internet Browsing for a remote VPN client that has to access Internet and at the same time the protected network behind FortiGate.

The solution is to use Split Tunneling. This will allow the remote clients to access Internet considerably faster, as Internet traffic will be directly forwarded out their local gateway. Of course, this is a valid solution, only if inspection of Internet traffic that the clients initiate is not desired or imposed by corporate security policies.

Solution
Configuration GUI

The dialup IPsec VPN can be easily configured using the VPN Wizard. The only difference is that Enable IPv4 Split Tunnel checkbox should be checked and the Internal Network should be referenced in the Accessible Networks.

The following videos are available for version 5.0:
  • https://video.fortinet.com/video/45/remote-access-with-ipsec-vpn-using-forticlient (Windows)
  • https://video.fortinet.com/video/66/ipsec-vpn-remote-access-using-ios-5-0 (iOS)
The following videos are available for version 5.2:
  • https://video.fortinet.com/video/128/ipsec-vpn-with-forticlient (Windows)
  • https://video.fortinet.com/video/103/ipsec-vpn-for-remote-ios-users-5-2 (iOS)
Configuration CLI

config vpn ipsec phase1-interface
   edit "Dialup_IPsec"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set mode-cfg enable
        set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "Guest-group"
        set ipv4-start-ip 10.10.10.1
        set ipv4-end-ip 10.10.10.10
        set ipv4-netmask 255.255.255.192
        set dns-mode auto
        set ipv4-split-include "Internal_Network"     /* Local protected network that the remote dial-up IPsec clients reach */
        set save-password enable
        set psksecret ENC XXXXXXXXXXX
                                                          next
end
config vpn ipsec phase2-interface
    edit "Dialup_IPsec_P2"
        set phase1name "Dialup_IPsec"
        set comments "VPN: test (Created by VPN wizard)"
    next
end

    config firewall policy
    edit 1
        set uuid c4f880da-82bf-51e4-42f1-07e26a76bba6
        set srcintf "Dialup_IPsec"
        set dstintf "port1"
        set srcaddr "Dialup_IPsec_range"            /* This is the IP address range 10.10.10.1-10 that matches the range configured under Phase 1 configuration (ipv4-start-ip & ipv4-end-ip) */
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: Dialup_IPsec (Created by VPN wizard)"
        set nat enable
    next
end

config firewall address
    edit "Dialup_IPsec_range"
        set uuid c4f347d2-82bf-51e4-ac01-a18581f0eec8
        set type iprange
        set comment "VPN: Dialup_IPsec (Created by VPN wizard)"
        set start-ip 10.10.10.1
        set end-ip 10.10.10.10
    next
end

Verification of Configuration and troubleshooting

FortiGate verification:
  • Check the configuration as it is seen by IKE daemon:diag vpn ike config list
  • List IKE SA : diag vpn ike gateway list name <Phase1>
  • List IPsec SA:  diag vpn tunnel list name <Phase1>
  • Check status of all tunnels (equivalent to GUI VPN monitor):get ipsec tunnel list
  • Check routes which were installed by IKE daemon (applicable only for dialup IPsec VPN):diag vpn ike routes list
---------------------------------------------------------------------------------------------------

Windows host verification:

>>>>> WHEN CLIENT IS NOT CONNECTED TO THE DIALUP IPsec VPN <<<<<

C:\Users\Andreas>ipconfig

!!! OUTPUT OMITTED !!!

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : fortinet-emea.com
   Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
   IPv4 Address. . . . . . . . . . . : 192.168.196.62
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.196.254

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

   C:\Users\Andreas>route print  

   !!! OUTPUT OMITTED !!!

   IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.196.254   192.168.196.62     10     <<< Default route out local gateway. Dialup IPsec VPN routes are not present, as the client is not connected to the VPN.

       -------------------------------------------------------------------------------------------------------- 

      >>>>> WHEN DIALUP IPsec VPN CLIENT IS CONNECTED TO THE VPN <<<<<  

   C:\Users\Andreas>ipconfig

!!! OUTPUT OMITTED !!!

Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : fortinet-emea.com
   Link-local IPv6 Address . . . . . : fe80::3dff:5375:ff3b:1697%11
   IPv4 Address. . . . . . . . . . . : 192.168.196.62
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.196.254

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::6d4b:6900:1004:360b%15
   IPv4 Address. . . . . . . . . . . : 10.10.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.192
   Default Gateway . . . . . . . . . :

   C:\Users\Andreas>route print

!!! OUTPUT OMITTED !!!

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.196.254   192.168.196.62     10     <<< Default route out local gateway, is still present in the routing table of the client, forwarding Internet traffic out the local gateway.
       10.10.10.0  255.255.255.192         On-link        10.10.10.1    276     <<< Route out FortiGate gateway, created after the client connects to the VPN.
       10.10.10.1  255.255.255.255         On-link        10.10.10.1    276     <<< Route out FortiGate gateway, created after the client connects to the VPN.
       10.182.0.0    255.255.252.0       10.10.10.2       10.10.10.1     20     <<< This is the route to reach the remote protected network behind FortiGate.

    
Last Modified Date: 04-05-2017 Document ID: FD36253