Skip to main content
kraus
kraus
Visitor III
August 8, 2023
Solved

Split Tunnel for IPSec VPN on Mac OS

  • August 8, 2023
  • 2 replies
  • 5384 views

Hello Forti Communty,

 

I need help with getting split tunneling to work on Mac OS.

 

We have the following situation in our company:

We have a firewall cluster made out of two FG 100F version 6.4.12.

The IPSec VPN configuration with split tunneling we are currently using is working perfectly for all of our windows clients. Now we also have to support Mac OS but we ran into some troubles.

For our clients we use the free VPN client from Forti in version 7.2.0, the Mac and Windows config is also similar.

The VPN connection itself on the Mac is working great but due to the missing split tunnel feature it is only possible to connect to company internal resources when the connection is active. So for example google.com is not working because all traffic is sent to the virtual VPN gateway. As soon as VPN is disconnected all external resources are working again. Now I have the following questions:

 

Is it possible to use split tunneling on Mac, maybe via workaround?

Is there a different solution to this, for example to setup a secondary gateway? (I have no experience with Mac OS so I don´t know if something like that is even possible)

 

Please let me know if I forgot something important.

thank you in advance for your help.

 

best regards

 

Best answer by rvijayaraj

Hi,

 

You can try editing the xml file from the forticlient settings. 

 

1) Download Forticlient configuration backup (XML file) from FortiClient settings.
2) Open the file using a text editor (e.g. NotePad++).
3) Search for the IPSec tunnel name.
4) The split tunnel addresses is added under the tag <remote_networks> under the required tunnel.

Each address is added in a <network> tag as per the below example(the split tunnel configuration is in bold text. Other irrelevant parts of the configuration are removed for simplicity):



<ipsecvpn>
            <options>
                …
                …
            </options>
            <connections>
            …
            …
                <connection>
                    <name>IPSEC_TUNNEL_1</name>
                    <type>manual</type>
                    <ike_settings>
                       …
                       …
                    </ike_settings>
                    <ipsec_settings>
            <remote_networks>
           <network>
    <addr>172.16.100.0</addr>
    <mask>255.255.255.0</mask>
          </network>
           <network>
    <addr>172.16.120.0</addr>
    <mask>255.255.255.240</mask>
           </network>     
            …
            …             
       </ipsec_settings>
         …
         …
     </connection>
      …
      …
   </connections>
</ipsecvpn>

NOTE.
FortiClient Requires 'Full Disk Acess' permissions in Mac OS Privacy Settings in order for the configuration restore feature to work.
Refer to FortiClient Mac OS release notes for more details.

 

Regards,

Roshan

2 replies

rvijayaraj
Staff
rvijayarajAnswer
Staff
August 8, 2023

Hi,

 

You can try editing the xml file from the forticlient settings. 

 

1) Download Forticlient configuration backup (XML file) from FortiClient settings.
2) Open the file using a text editor (e.g. NotePad++).
3) Search for the IPSec tunnel name.
4) The split tunnel addresses is added under the tag <remote_networks> under the required tunnel.

Each address is added in a <network> tag as per the below example(the split tunnel configuration is in bold text. Other irrelevant parts of the configuration are removed for simplicity):



<ipsecvpn>
            <options>
                …
                …
            </options>
            <connections>
            …
            …
                <connection>
                    <name>IPSEC_TUNNEL_1</name>
                    <type>manual</type>
                    <ike_settings>
                       …
                       …
                    </ike_settings>
                    <ipsec_settings>
            <remote_networks>
           <network>
    <addr>172.16.100.0</addr>
    <mask>255.255.255.0</mask>
          </network>
           <network>
    <addr>172.16.120.0</addr>
    <mask>255.255.255.240</mask>
           </network>     
            …
            …             
       </ipsec_settings>
         …
         …
     </connection>
      …
      …
   </connections>
</ipsecvpn>

NOTE.
FortiClient Requires 'Full Disk Acess' permissions in Mac OS Privacy Settings in order for the configuration restore feature to work.
Refer to FortiClient Mac OS release notes for more details.

 

Regards,

Roshan

    kraus
    krausAuthor
    Visitor III
    August 8, 2023

    Hello Roshan,

     

    thank you for the quick reply. I already tried this approach some time ago and it did not work because I was not able to import the config into the VPN client. But thanks to your final note this issue is now resolved.

     

    regards

    Terms & ConditionsAccessibility statement