Fortinet black logo

New Features

Home FortiClient 6.4.0 New Features

Selecting closest gateway for VPN connection 6.4.1

6.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 0649062b-898a-11ea-9384-00505692583a:65607
Download PDF

Selecting closest gateway for VPN connection 6.4.1

FortiClient (Windows) uses one of the following methods to choose the closest remote gateway for VPN connection:

  • Based on ping response time duration
  • Based on TCP round trip time (TCP three-way handshake (SYN, SYN-ACK, ACK))
To configure this option in EMS:
  1. Go to Endpoint Profiles > Manage Profiles.
  2. Select the desired profile.
  3. On the VPN tab, click Add Tunnel.
  4. In Basic Settings, add multiple remote gateways, then click Add Tunnel.

  5. On the XML Configuration tab, find the tunnel, and modify the <RedundantSortMethod> value as desired. This value controls which method FortiClient selects the remote gateway when connecting to this VPN tunnel:

    Value

    Description

    0

    Priority-based. FortiClient tries remote gateways in the order defined in the server list to connect to VPN.

    1

    FortiClient connects to the gateway that has a shorter ping response time.

    2

    FortiClient connects to the gateway that has a shorter TCP round trip time (TCP three-way handshake (SYN, SYN-ACK, ACK))

  6. Save the profile.

To verify the configuration:
  1. In FortiClient, attempt to connect to the newly configured VPN tunnel.
  2. Do one of the following:
    1. If you selected the ping response method, manually ping the remote gateways in Command Prompt. Confirm that FortiClient connected using the gateway with the shorter ping response time. You can also capture packets with Wireshark during VPN connection and observe that pings to both remote gateways are present.

    2. If you selected the TCP round trip time method, use Wireshark to capture packets. Observe that SYN, SYN-ACK, ACK traffic to both remote gateways are present. Confirm that FortiClient connected using the remote gateway with the shorter TCP round trip time.

Previous
Next

Selecting closest gateway for VPN connection 6.4.1

FortiClient (Windows) uses one of the following methods to choose the closest remote gateway for VPN connection:

  • Based on ping response time duration
  • Based on TCP round trip time (TCP three-way handshake (SYN, SYN-ACK, ACK))
To configure this option in EMS:
  1. Go to Endpoint Profiles > Manage Profiles.
  2. Select the desired profile.
  3. On the VPN tab, click Add Tunnel.
  4. In Basic Settings, add multiple remote gateways, then click Add Tunnel.

  5. On the XML Configuration tab, find the tunnel, and modify the <RedundantSortMethod> value as desired. This value controls which method FortiClient selects the remote gateway when connecting to this VPN tunnel:

    Value

    Description

    0

    Priority-based. FortiClient tries remote gateways in the order defined in the server list to connect to VPN.

    1

    FortiClient connects to the gateway that has a shorter ping response time.

    2

    FortiClient connects to the gateway that has a shorter TCP round trip time (TCP three-way handshake (SYN, SYN-ACK, ACK))

  6. Save the profile.

To verify the configuration:
  1. In FortiClient, attempt to connect to the newly configured VPN tunnel.
  2. Do one of the following:
    1. If you selected the ping response method, manually ping the remote gateways in Command Prompt. Confirm that FortiClient connected using the gateway with the shorter ping response time. You can also capture packets with Wireshark during VPN connection and observe that pings to both remote gateways are present.

    2. If you selected the TCP round trip time method, use Wireshark to capture packets. Observe that SYN, SYN-ACK, ACK traffic to both remote gateways are present. Confirm that FortiClient connected using the remote gateway with the shorter TCP round trip time.

Previous
Next