Dear Community, due to the fact that Fortinet decided to remove the Classic SSL-VPN with 7.6. the first people try to migrate from SSL-VPN to Dial-Up IPsec with mode-config.To test it for a customer i built following lab:I was able to get it all running on IKEv2, but somehow eventhough i enabled Split-Tunneling for both ipv4 and ipv6 i receive a default route for both v4 and v6.Does anyone know the issue and know how to solve it?ThanksMario :)

New Member

Question

IPsec Client VPN IKEv2 Split-Tunneling

Forum|Forum|11 months ago
June 23, 2025
2 replies
2798 views

Dear Community,

due to the fact that Fortinet decided to remove the Classic SSL-VPN with 7.6. the first people try to migrate from SSL-VPN to Dial-Up IPsec with mode-config.
To test it for a customer i built following lab:

Screenshot 2025-06-23 101659.png

I was able to get it all running on IKEv2, but somehow eventhough i enabled Split-Tunneling for both ipv4 and ipv6
i receive a default route for both v4 and v6.

Does anyone know the issue and know how to solve it?

Thanks
Mario :)

funkylicious

SuperUser

hi,

what did you specify/referenced in the split-tunnel options ? is the object in question a network object containing a network /mask or is it a range of addresses/ips ?

"jack of all trades, master of none"

MarioBergerAuthor

New Member

Hi,

The split-tunnel option i mentioned is "ipv4-split-include" same for v6.
The Objects are "lo1 address" - 172.16.1.0/24 and "lo1_net" - fd00:affe:1::/64 .

--------------------
config vpn ipsec phase1-interface
edit "ReAc_test1"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha512
set dhgrp 21
set eap enable
set eap-identity send-request
set authusrgrp "group1"
set ipv4-start-ip 172.31.251.2
set ipv4-end-ip 172.31.251.254
set ipv4-split-include "lo1 address"
set ipv6-start-ip fd00:affe:1::2
set ipv6-end-ip fd00:affe:1::ffff
set ipv6-prefix 64
set ipv6-split-include "lo1_net"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC XXX
next
--------------------------------
Phase 2:
config vpn ipsec phase2-interface
edit "ReAc_test1"
set phase1name "ReAc_test1"
set proposal aes256-sha512
set dhgrp 21
set keepalive enable
set comments "VPN: ReAc_test1 (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "lo1 address"
set dst-name "all"
next

edit "ReAc_test1v6"
set phase1name "ReAc_test1"
set proposal aes256-sha512
set dhgrp 21
set keepalive enable
set src-addr-type name6
set dst-addr-type name6
set src-name6 "all"
set dst-name6 "all"
next
-------------------------------------------

What i'm also unable to do is to use multible Phase1 Interfaces to connect different Usergroups.

No matter what, when i try to connect with user test2 the connection is only triggered on ReAc_test1

ike V=root:0:ReAc_test1:1: responder received EAP msg
ike V=root:0:ReAc_test1:1: send EAP message to FNBAM
ike V=root:0:ReAc_test1:1: initiating EAP authentication
ike V=root:0:ReAc_test1: EAP user "test2"
ike V=root:0:ReAc_test1: auth group group1
ike V=root:0:ReAc_test1: EAP 876280606722 pending
ike V=root:0:ReAc_test1:1 EAP 876280606722 result FNBAM_ERROR
ike V=root:0:ReAc_test1: EAP failed for user "test2"
ike V=root:0:ReAc_test1: EAP response is empty
ike V=root:0:ReAc_test1: connection expiring due to EAP failure
ike V=root:0:ReAc_test1: going to be deleted

Thanks
Mario :)

Xronos

New Member

Hi Marco,

I think you should first explain why you want to use different Phase 1 configurations.

You can assign different access permissions using firewall rules based on user groups. With RADIUS (e.g. connected to Active Directory), that also works directly.
Don't forget to completely remove the authusrgrp setting in Phase 1 (i.e. use unset authusrgrp).

Otherwise, if you really need different Phase 1 configurations, the FortiGate can't easily distinguish them.
For that, you can use the network-id. Just keep in mind that the network-id also needs to be configured on the client side.

config vpn ipsec phase1-interface

edit <example>

set ike-version 2

set network-overlay

enable set network-id <integer>