Technical Tip: Unable to add a address group in IPv4 split-tunnel (Phase-1)
| Description | This article describes the scenario where the administrator is unable to add an address group in the IPv4 split-tunnel (Phase-1). |
| Scope | FortiGate. |
| Solution | How to enable IPv4 Split Tunnel:
Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection.
Disable this option to have all traffic sent through the VPN tunnel.
It will not be possible because of the existence of any FQDN address as a member of this address group.
However, in order to assign it in IPv4 split-tunnel (Phase-1), first, remove any FQDN address part of the address group.
Once the FQDN address is removed, the address group will be seen to choose from the list in GUI as well as CLI.
# config vpn ipsec phase1-interface edit “VPN” - - -> Name of the vpn tunnel set ipv4-split-inclue “Address_Group” <--Name of the address next end
Following CLI will now only display addr/addrgrp of types 'iprange' and 'ipmask'.
- phase1.ipv4-split-include - phase1.ipv4-split-exclude - phase1.ipv6-split-include - phase1.ipv6-split-exclude - phase2.src-name - phase2.dst-name - phase2.src-name6 - phase2.dst-name6 |