Skip to main content
A
Anonymous_User
Contributor
September 29, 2008
Question

SSLVPN : Destination address of split tunneling policy is invalid

  • September 29, 2008
  • 4 replies
  • 9059 views
I have a SSL VPN setup under 3.00 MR6 which is working fine. The tunnel range is 192.168.98.1 through to 192.168.98.254 I have a static route setup 192.168.98.0/C distance 2 Device SSL.Root. I have two firewall rules : One EXTERNAL->INTERNAL Source ALL DEST LOCAL_LAN Action SSL-VPN. One SSL.Root -> INTERNAL SOURCE ALL DEST ALL ACCEPT. Where LOCAL_LAN is 192.168.1.0/C This works but all traffic is then going via the SSLVPN. When I go into SSL-VPN User Group Options and enabled Split tunneling for the following : 192.168.1.1 - 192.68.1.254 I get : Destination address of split tunneling policy is invalid. Any ideas what I' m doing wrong ?

    4 replies

    rwpatterson
    rwpatterson
    New Member
    September 29, 2008
    Personally, I don' t use the generic tunnel definitions. I define tunnel IP ranges for each SSL group I set up. Try making the SSL range a subset of the larger class C. This is a guess though... Good luck
    A
    Anonymous_UserAuthor
    Contributor
    September 30, 2008
    Thanks for the reply however sorry I don' t quite understand that! Any chance you could explain with an example ? What I' m trying to achieve is allow remote access in but not be disconnected from say MSN on the client computer when the tunnel is active.
    rwpatterson
    rwpatterson
    New Member
    September 30, 2008
    On the main SSL VPN page, there is the tunnel definition. That' s the ' generic' one I referred to. I left that blank, and in each individual definition, I added the tunnel range under advanced.
    A
    Anonymous_UserAuthor
    Contributor
    October 1, 2008
    Hi Bob, I tried to remove the IP from VPN->SSL->Config and it says Invalid IP Address.
    A
    Anonymous_UserAuthor
    Contributor
    October 1, 2008
    Fortinet Support fixed it :
    In order to enable split tunneling you need to define the destination address field properly in the ssl firewall policy instead of all to all. External to Internal > all > Internal_range > SSL VPN e.g. Internal_Range > 192.168.1.1 - 192.68.1.254
    Thanks for the replies
    rwpatterson
    rwpatterson
    New Member
    October 1, 2008
    I missed that one myself. All to all is generally a bad idea.
    Terms & ConditionsAccessibility statement