This article describes an issue when users connect to a dial-up IPsec tunnel from FortiClient, the internet connection drops during the IPsec negotiation.
Scope
FortiOS, FortiClient.
Solution
It is a default behavior as FortiClient blocks all outbound non-IKE traffic during the IPsec negotiation. This can be an issue if the user’s computer is accessed remotely.
To allow outbound non-IKE traffic during the negotiation, it is necessary to modify the XML file of the FortiClient.
If FortiClient is managed by EMS, an XML file can be configured on the EMS. For unmanaged/free FortiClient, follow the steps below:
- Backup the FortiClient configuration to a file as shown below. Remember the password because it will be necessary when restoring the configuration file later.
- Edit the backup configuration file in Notepad. In this example, a dialup IPsec VPN connection is configured named ‘Dialup’. Change <implied_SPDO> value to 1 and <implied_SPDO_timeout> to 60.
- Save the configuration file and restore it on FortiClient. If the restore button is greyed out, select the padlock on the top right to unlock. Restore using the same password from step 1.
Note: For more information about and value, refer to IKE settings