Split tunnel not working for IPSec dial up vpn's

hi,

have you tried following this guide, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192266 ?

also, in FCT try doing a backup of the config and edit it and change these params after the export

https://docs.fortinet.com/document/forticlient/7.4.2/xml-reference-guide/739387/ipsec-vpn 

<enable_local_lan>1</enable_local_lan>

also, <implied_SPDO>1</implied_SPDO>

then import back the config in the client

Hi @network123 ,

First of all, can you capture the local routing table once connected to the IPSec VPN? 

This is to confirm whether the routing table is in issue or not.

I'm setting up a new ipsec ikev2 RA tunnel as well (no other tunnels) and am seeing the same thing. Using a subnet for the split tunnel object. Firewall is 7.2.11 and using latest 7.4.2.1737 client. I can see in the ike debug that it's pushing the correct subnet for split tunneling (mode-cfg send (13) 0:10.0.0.0/255.255.255.0:0), but none of the pc's i've tried on will show that they should be split tunneling - keep trying to tunnel all traffic via the vpn.

Just want to put my 2 cents in, as I'm facing the same issue. 

This is initially a new setup. Unfortunately, it was not working either. I got the proper IP address, and forward traffic logs shows DNS traffic is going nicely, but outside of that I was not getting good reply back from pings. Forward traffic did not register any of my ping attempts.

I went with Packet sniffer on the IPSec interface and see that it's registering it from my 192.168.x.x local IP at home. 

Now, I did have a working setup. Months back I had setup an IPSec VPN Client tunnel on a separate Fortigate, it was splitting tunnel smoothlessly. I do not have the FCT version number I used; however, I chose to reconnect to it for testing purposes. It did not work. Same Problem. I did not touch that old VPN connection; the only thing that's changed is the FCT version (and recently Windows 11 version). 

This post is my only hint that it's not my configuration on Fortigate's side. Pending more research, I hope to help you out if I find something :)

Edit: The plot thickens. Using 7.4.0 worked fine on my Work laptop. Everything mentioned in the original comment was on my Personal Laptop. I uninstalled FCT 7.4.0 and reinstalled the new version 7.4.2.1737 same as my Personal laptop to do some more diagnostics/fixes. It worked fine....The Route table updated properly instead of defaulting to Full Tunnel. It just works now. Unsure where the issue lies now.

Happy to see I'm not the only one, and it wasn't me doing an incorrect config.

This seems to be an issue with Forticlient.

Running Fortigate 7.4.7.2731 and Forticlient VPN (the free one) 7.4.2.1737, I was having the same issue. The split route and also a default route via the VPN would get installed on the client, making all traffic route via the VPN. 

I uninstalled the client and installed an older one (7.2.3.0929). Split tunneling is now working correctly - no incorrect default route on the client. Unfortunately, "no support" for the free client (boo!), but hopefully they fix it. Anyone successfully using the licensed 7.4.2 FortiClient with split tunnelling? I'd imagine it has the same issue.

I had a similar issue in the weekend while testing ipsec with ikev2 and saml, whereas the split tunnel wasnt working, I was getting the full tunnel config.

Had to manually change the Automatic metric for the SSLVPN adapter and it started working for some reason.

L.E. i also installed FCT 7.2.8, i was running either 7.2.4 or 7.2.5 

yeah based off that I uninstalled the 7.4 and installed 7.2.8. it did split tunnel correctly, however apparently 7.2.8 will skip the MS saml if the pc already is authenticated to MS - just one problem after another.

I can also confirm split tunneling doesn't work for dial-up vpn  ZTNA Forticlient 7.2.9 to a firewall running FortiOS 7.4.7. I only get a default route. 

Good to know IKE works "great" while Fortinet is planning on removing SSLVPN :). Downgrading to 7.2.8 fixed the issue for me. 

Hey all,

yes, 2 weeks that I'm fighting split tunneling with IPSEC on FGT 7.6.3 with FCT 7.4.3, and always having 0.0.0.0 route and VPN traffic not working well in more. Raisins a support ticket and lost time with them by requesting reinstalling client, using different computer, some screenshot, ... nothing with a real strategy and knowledge for help me and finally found this thread.

And yes, juste downgraded Forticlient to 7.2.8 without changing anything in FGT, works perfectly in a row !

Are there someone was able to work with Dialup VPN IPSec on FGT 7.6.3 with FCT client > 7.2.8 ? Goal is to use a recent version as more as possible.

Thank you

Regards

Alexandre

First time on the forum. I had similar problems if the Split-tunnel acl had anything other than ipv4 address. (FQDN etc)

Once I removed those my route table showed the correct routes.