Hello community,
When using IPsec Forticlient VPN for remote users, how exactly is determined the routes to be sent to the users down the VPN if for example Split Tunnel is enabled.
In the IPsec Wizard there is a step that we need to input “Local Subnets” and that’s clear at that point. However, I am taking a look to an already configured Remote Access IPsec VPN and both Local and Remote addresses were left as 0.0.0.0/0. So I would think that split tunnel was disabled and all traffic should flow through the VPN but that is not the case, I connected to that VPN and I’m still using my local Internet provider for internet access and the route print on my PC shows several routes off the VPN connection that I don’t really know how they get there, again, firewall is showing 0.0.0.0/0 for local and remote subnets under phase2.
Any help trying to understand this !!! Thank you all!!!
If it’s not in the VPN config, it may be the dstaddr defined in the firewall policy that permits the inbound IPsec VPN connections. It would be the policy that has the permitted VPN users/groups defined.
Typically, the selectors are left wide-open for remote users. <client’s-ip> → 0.0.0.0/0. Routes to use are advertised in IKEv1/v2 config payloads, via the INTERNAL_IP4_SUBNET option, the content of which is controlled by the “Enable IPv4 Split Tunnel” option in the GUI (phase1 option).
Is there a particular reason for using IPSec for FortiClient VPNs as opposed to SSL VPN? We switched over to SSL a few years ago and I’ve never looked back. So many intermittent compatibility and performance issues, especially with Mac users. There’s more flexibility in general with SSL VPN, and Fortinet techs consider it best practice as well.
It’s been mentioned here but I’d like to clarify.
For IPsec, the phase 2 selectors don’t* have any bearing on the routes pushed to clients. There’s a separate input box for that. If you check the box for “Enable IPv4 Split Tunnel”, there’s another option that appears for “accessible networks”. The address object applied there (or the group of address objects) are the route(s) that get pushed to the client.
Another comment mentioned policy destinations. This is only the case for SSL VPN.
*Under almost all circumstances
There’s a setting on the SSL VPN portal page where you can limit VPN user access by subnet. I use split tunnelling as well on SSL VPN and define access this way as well as via the firewall policy for the SSL VPN.
I haven’t tried using unspecified subnets there or 0.0.0.0/0 in the way that you are, but to solve it I’d try defining your destination network(s) as one or more address objects and adding them to that SSL VPN portal as well as the inbound SSL VPN firewall policy and see how that goes.
Routes for the VPN endpoint are built upon connection to the VPN, so reconnect after changes to test results.
Ohhh, so kinda a policy-based VPN??
not really, it was set that way, I agree with you on ssl 100%
So from what I remember with FortiClient IPSec VPNs is a setting under the VPN itself that references remote subnets. Did you check under that part of the GUI? Maybe you can share redacted configs under vpn-ipsec-phase1-interface….
Idk if you’d call it that. I just know at least with the SSL VPN that the split tunneling definition can be in the VPN settings or the firewall policy for the inbound client connections.
In the CLI, run show vpn ipsec phase1-interface and see if the ipv4-split-include is set for the IPsec config in question.
It’s a route based VPN but without policy you can’t route anywhere past the firewall, if that makes sense.