FortiClient IPSEC VPN - Settings Change Drops VPN

Hello,

I’m trying to dip my toes into IPSEC VPN configuration settings ahead of the eventual update to 7.6 since we have a lot of 40F units in production that won’t be able to support SSL VPN.

I’ve got a working IPSEC VPN configuration but I’ve encountered a major annoyance: If the IPSEC VPN is split-tunneled using an address group for the split tunnel, changing the members of the address group immediately drops the VPN connection for any connected users. This is a problem for us since we often have to change the address group during the day.

This is unlike SSL VPN connections where if you change the split-tunnel addresses, users stay connected but must reconnect for the changes to take effect which is a lot easier to handle.

I opened a ticket with Fortinet TAC and they said this is by design. Has anyone with IPSEC VPN connections found a workaround or have a way to manage changes? I can’t imagine this is expected behaviour. My current plan is to change the split-tunnel to simply send all RFC1918 traffic to reduce the number of VPN changes needed, but sometimes I need to hairpin public IP addresses through the VPN which requires a change.

It’s expected behaviour. It’s essentially rebuilding the phase 2s associated, which causes the SA to be deleted.

Okay, I didn’t expect that since the phase 2 of the VPN isn’t specific to the subnets listed, the selectors are 0.0.0.0/0.

So if that’s the case how do larger organizations manage split-tunnel VPN configurations? Do they just use full-tunnel VPN configurations instead?

Some do full tunnel, others either do application or have stable split tunnel groups… I’m confused and concerned why you think you’ll be changing these daily…

We’re an MSP. We wouldn’t be changing these for a particular client on the daily but it would be semi-frequently for all our clients put together. We’ll just be going full tunnel instead.