Skip to main content
JvLeur
JvLeur
New Member
November 26, 2025
Solved

Dial-UP IPSec IKEv2 Split Tunnel

  • November 26, 2025
  • 5 replies
  • 3114 views

Hi,

 

I am trying to migrate IKEv1 to IKEv2 Dial-UP VPN tunnels for devices that use Forticlient and that do not use Forticlient(e.g. MacOS).
The configuration includes a split tunnel setup.
When a Forticlient enabled client attempts an IPSec connection the client acquires a split tunnel VPN session.

 

I can see the following few lines in the debug session that indicate routes will be installed in the routing table of the device.

 

ike 2:QDIPS_0:10843292: processed INITIAL-CONTACT
ike 2:QDIPS_0:10843292: mode-cfg assigned (1) IPv4 address 172.28.12.1
ike 2:QDIPS_0:10843292: mode-cfg assigned (2) IPv4 netmask 255.255.255.128
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:10.0.0.0/255.0.0.0:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:172.16.0.0/255.240.0.0:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:192.168.0.0/255.255.0.0:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:91.200.16.0/255.255.254.0:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:141.176.34.0/255.255.255.0:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:185.55.137.0/255.255.255.128:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:193.105.144.0/255.255.255.0:0
ike 2:QDIPS_0:10843292: mode-cfg send (13) 0:185.206.27.2/255.255.255.255:0

 

However, when a MacOS client connects with the Fortigate, using the Native Mac-OS client, the client does not acquire a split tunneling configuration and only receives an default route.

 

In the following KB there's an explanation how to configure IPSec VPN using IKEv2 using Native MAC-OS client:


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Apple-IOS-native-VPN-using-IKEv2-connection-for/ta-p/196052

 

However, the "Configuration Attribute Internal IP Subnet" is nowhere to be found.

 

Is there a possibility to have a functioning IKEv2 setup without running Forticlient? IKEv1 works just fine with split tunneling.

Best answer by funkylicious

hi,

have a look at ~/Library/Preferences/com.apple.networkextension.plist and the attribute UseConfigurationAttributeInternalIPSubnet

5 replies

Anthony_E
Staff
Anthony_E
Staff
November 30, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
funkylicious
SuperUser
funkyliciousAnswer
SuperUser
November 30, 2025

hi,

have a look at ~/Library/Preferences/com.apple.networkextension.plist and the attribute UseConfigurationAttributeInternalIPSubnet

"jack of all trades, master of none"
    JvLeur
    JvLeurAuthor
    New Member
    December 1, 2025

    Hey,

     

    Thanks for the updates.

    Unfortunately "~/Library/Preferences/com.apple.networkextension.plist" does not exist on my MAC.

    I am running MacOS Sequioa 15.7.2.

    With kind regards,
    Jeroen

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    December 1, 2025

    sry, my bad, remove the ~ , /Library/Preferences/com.apple.networkextension.plist is the location/file and open it from Finder w/ a text editor.

    "jack of all trades, master of none"
    JvLeur
    JvLeurAuthor
    New Member
    December 1, 2025

    The .plist file cannot be opened with a text editor as its a binary.

    JvLeur
    JvLeurAuthor
    New Member
    December 4, 2025

    After copying the file to another directory, and using plutil to convert it to XML I was able to read it.
    It seems that Text Mate does this conversion as well.

    I have one addititional question before I close this.
    Is there a possibility to send the "Search Domain" through IKEv2 as well? 
    DNS servers are provided in the IPSec configuration but they the DNS servers are not being queried.
    Only when I configure the following queries for specific domains are being queried. 

    /etc/resolver/<domain>
    <DNS SERVER1>
    <DNS SERVER2>

    This issue is also with Forticlient connections.

    If it's too off topic I can create another topic.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    December 4, 2025

    if you are reffering to a dns suffix, then this can be achieved in IKEv1 but in IKEv2 only for Windows with FortiClient 7.4.4+ ( which requires a license/EMS ) in FortiOS 7.6.4  , https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/707911/ipsec-dns-suffix 

    you can do like you mentioned or in /etc/resolv.conf to add a search domain

    "jack of all trades, master of none"
    JvLeur
    JvLeurAuthor
    New Member
    December 4, 2025

    Thank you for your answers and help!

    It's good to know that dns suffix is being introduced.
    I am not sure if it's really needed to resolve my issue.
    Currently when I don't specify a DNS server it's not resolving correctly, but when I select the DNS server that the VPN tunnel is providing, it's working.

    ~ dig uren.q

     

    ;; QUESTION SECTION:
    ;uren.q. IN A

     

    ;; AUTHORITY SECTION:
    . 900 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025120400 1800 900 604800 86400


    ;; SERVER: 172.20.10.1#53(172.20.10.1)

     

    @mbMosaic451-JDGV432QR1 ➜ ~ dig uren.q @172.28.8.53

     

    ;; QUESTION SECTION:
    ;uren.q. IN A

     

    ;; ANSWER SECTION:
    uren.q. 300 IN CNAME quanza-eun-wbg5.q.
    quanza-eun-wbg5.q. 86401 IN A 172.28.36.25

     

    ;; SERVER: 172.28.8.53#53(172.28.8.53)

     

    Even though I have configured 172.28.8.53, 172.28.9.53 as the DNS server.

    What's the point in configuring these DNS server if it's not using those servers?


    config vpn ipsec phase1-interface
    edit "QDIPS"
    set type dynamic
    set interface "VLAN709_OUTSIDE"
    set ike-version 2
    set keylife 28800
    set peertype one
    set net-device disable
    set mode-cfg enable
    set ipv4-dns-server1 172.28.8.53
    set ipv4-dns-server2 172.28.9.53

     

     

    hoslerj2
    hoslerj2
    Visitor III
    May 12, 2026

    ​@JvLeur  do you happen to have a sample profile you can share of a working config? Assuming you got split tunnel working on mac. 

     
    funkylicious
    SuperUser
    funkylicious
    SuperUser
    May 12, 2026

    you can use the guide and adapt it to your needs.

    "jack of all trades, master of none"
      hoslerj2
      hoslerj2
      Visitor III
      May 12, 2026

      sdbhfgiudsahguiogfhbsfdogi

       

      These past few days ive been reading all these guides and make sure everything is right and i forgot to add the DNS server to my address object group that is used for VPN locations. Now it works

      Wonder why it worked for windows without this. interesting. 

      Thanks for the response, even though it didn’t help i at least appreciate it lol 

      Terms & ConditionsAccessibility statement