Is it possible to use the native Windows 10 VPN client instead of FortiClient VPN?

I am currently connecting to a corporate VPN using the FortiClient VPN v6.2.2.0877. This version, as with every other 6.x version I’ve tried of the FortiClient VPN software keeps giving me intermittent BSODs pointing to “fortips.sys”. I’m running Windows 10 on a Dell laptop. I’m mainly connected to a dock with ethernet, sometimes I’ll connect via wifi. The BSODs seem to happen most often if I’ve changed connections, when I go to reconnect the VPN the entire system will crash.

In the FortiClient VPN setup, my connection is “IPsec VPN” with a remote gateway, pre-shared key, and the rest is defaults. So I believe it is XAuth with IKEv1. I thought maybe using the native Windows 10 VPN client would be more stable so I created a new VPN connection, entered my gateway in as the server name, selected “L2TP/IPsec with pre-shared key” and entered my key, and tried to connect. But it doesn’t connect and Event Viewer reports “user has dialsed a connection which has failed. The error code returned on failure is 789.” but I don’t find any further details about what the problem might be.

So I’m wondering - should I be able to connect to my VPN without the FortiClient software in the first place? If it is possible, I can pursue with my network admin on what might be happening. But if the FortiClient VPN client is the only compatible one, I guess I’ll have to live with it, unless there is some alternative compatible 3rd party VPN client out there?

On a side note - aside from the BSODs the client is pretty bad in general. The UI feels sluggish, I have two saved connections that if I open them to edit settings all of the settings fields are blanked out.

Finally, if there’s any interest in the BSOD info, I ran a WinDbg on the memory dump. Some snippets:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace.

Arguments:

Arg1: ffffa50e8456807d, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000000, value 0 = read operation, 1 = write operation

Arg4: fffff80649be35b1, address which referenced memory

​

MODULE_NAME: fortips

IMAGE_NAME: fortips.sys

BUCKET_ID_FUNC_OFFSET: 135b1

FAILURE_BUCKET_ID: AV_fortips!unknown_function

BUCKET_ID: AV_fortips!unknown_function

PRIMARY_PROBLEM_CLASS: AV_fortips!unknown_function

Native Win10 definitely does work, but care needs to be taken to have both sides matching configs.
Off the top of my head the first main bump is typically the type of authentication in XAUTH (If you’re forwarding this to LDAP, you must edit the client side to switch to PAP).

Since it seems to be a client to network VPN, if switching to SSL is an option, on Windows 10 in the Microsoft Store there is a free official Forticlient SSL VPN Win10 app that simply add an option into Windows VPN.

As for IPsec, it might be different depending on the FortiOS version but mine ask to specify if the client is FortiClient or native iOS, Android or Windows. It might be simply for an easier configuration but they could also block everything else since Forticlient has some more options even if you don’t use them.

i think that depends on how the VPN is being administered, they might have health checks that prevent you from using anything other than the client, which allows them to also initiate patch level checks before it allows you to initiate a session with them.

I might take a jab at the bsods off the top of my head.

Any chance the computer is running HVCI? DeviceGuard/CredGuard?

Ive ran HVCI checks and have seen forticlient fail. I have seen nothing online about it but it is concerning if forticlient is still not compatible.

“Every other 6.x version I’ve tried”

To be clear, does this mean you have indeed tried 6.0.8?

6.2 is still considered unstable and pre-release

Dont know about the BSOD but your settings are possibly grayed out because of a lock. This is in the later versions of the forticlient. Click the lock symbol, top right i think, of the settings window to unlock. It will try to get you to set a password but you dont have to.

From the downloads page (https://www.forticlient.com/downloads) I’ve used the “Forticlient for Windows” version 6.0, and each iteration of the “FortiClient VPN” that’s prominently displayed at the top of the page for version 6.2. I had this same problem with every iteration. I don’t disagree that it’s unstable but it isn’t visibly marked as such…and besides, I only need VPN access and as far as I know we are not using any of the other Fortinet features. The VPN-only client seemed most appropriate.

I’m pretty sure there is something misconfigured on my workstation or there is some conflicting software as I seem to be the only one in my group with this issue, but it’s been difficult navigating the different internal support layers. Hence trying to find alternate solutions myself