Skip to main content
T
TTFN
New Member
May 22, 2026
Question

Help! IPSec IKE VPN using native windows client...

  • May 22, 2026
  • 2 replies
  • 85 views

Hi all,

I have struggled with the above but now have this working on a 61F.

However there are a few bits I am still struggling with that I am trying to work out if they are a limitation of Windows or how I am configuring…

I need an IPSEC VPN with split tunnelling without requiring:

  • Free Fortinet VPN client due to lack of admin rights
  • External RADIUS/Authentication


I have got this working using Machine certs as I believe the Windows client requires the use of EAP-TLS for a user account based tunnel which the FortiGate cannot directly achieve by itself?

Once I got this working, I then wanted to enable split tunnelling, Windows appears to need DHCP option 249 to send over these routes, but also needs mode-config to assign the IP.

I have tried to create a DHCP server on the VPN interface, dummy DHCP servers on loopbacks etc, but cannot seem to get this part working… is it even possible? If I change the IP address mechanism by specifying DHCP the client connects but never gets an IP, unless I enable it via mode config.

(At the moment I have enforced this on the Windows client side by enabling split-tunnelling and restricted routes)

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
May 22, 2026

maybe this will help in regards to your split tunnel issue - https://www.reddit.com/r/fortinet/comments/1exrlqd/enable_split_tunneling_on_l2tp_windows_dialup_vpn/ 

"jack of all trades, master of none"
T
TTFNAuthor
New Member
May 22, 2026

Hi, yes I have searched all over Reddit and the interwebs for answers like this but nothing definitive comes back!

AEK
SuperUser
AEK
SuperUser
May 31, 2026

Hi TTFN

You created a DHCP server on the loopback, but did you configure a DHCP relay on the IPsec interface and add a firewall policy to allow DHCP requests?

AEK
Terms & ConditionsAccessibility statement