Skip to main content
AC_CHANGE
AC_CHANGE
Explorer
March 25, 2025
Question

VPN Split Tunneling Issue – No Access to VLANs

  • March 25, 2025
  • 3 replies
  • 1828 views

 

Hello,

I have two FortiGate 60F  7.4.7 devices configured for redundancy in case of failure. The setup includes two physical WAN interfaces: ISP-1 (wan1) and ISP-2 (wan2). There is also a virtual LACP-1 interface that combines internal1 and internal2. Several VLANs are configured on LACP-1.

I need to configure an IPSec VPN with Split Tunneling, where all internet traffic should go through the client's local internet, while traffic destined for the VLANs should be routed through the tunnel.

The VPN tunnel establishes successfully, and the client can connect. However, the client cannot access any network resources inside the VLANs or ping anything.

VPN Tunnel Configuration:

VPN Tunnel Configuration:  config vpn ipsec phase1-interface     edit "Delta_VPN_IPSec"         set type dynamic         set interface "wan1"         set mode aggressive         set peertype any         set net-device disable         set mode-cfg enable         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set comments "VPN: Delta_VPN_IPSec (Created by VPN wizard)"         set wizard-type dialup-forticlient         set xauthtype auto         set authusrgrp "TESTVPNSSL"         set ipv4-start-ip 192.168.80.100         set ipv4-end-ip 192.168.80.200         set dns-mode auto         set ipv4-split-include "Delta_VPN_IPSec_split"         set save-password enable     next end  config vpn ipsec phase2-interface     edit "Delta_VPN_IPSec"         set phase1name "Delta_VPN_IPSec"         set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305         set comments "VPN: Delta_VPN_IPSec (Created by VPN wizard)"     next end  Firewall Policy Configuration:  config firewall policy     edit 31         set name "vpn_Delta_VPN_IPSec_remote_0"         set uuid a254b5f2-08bb-51f0-3a23-e904558689db         set srcintf "Delta_VPN_IPSec"         set dstintf "LACP-1"         set action accept         set srcaddr "Delta_VPN_IPSec_range"         set dstaddr "VLAN-10 address" "VLAN-11 address" "VLAN-15 address" "VLAN-20 address"         set schedule "always"         set service "ALL"         set comments "VPN: Delta_VPN_IPSec (Created by VPN wizard)"     next end

Issue:

Even with these settings, the VPN client cannot access VLAN-10, VLAN-11, VLAN-15, or VLAN-20. No communication is working between the VPN client and these VLANs.

Questions:

  1. Are there any missing configurations (e.g., additional routes or security policies) that could be preventing VLAN access?

  2. Is there a need for a policy from LACP-1 to Delta_VPN_IPSec to allow return traffic?

  3. Are there any common FortiGate limitations or known issues that could cause this behavior?

Would be grateful for advice

 

3 replies

Anthony_E
Staff
Anthony_E
Staff
March 28, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 28, 2025

Are you realizing the LACP interface "LACP-1" and VLAN subinterfaces are all independent interfaces in FGT policies? You need to have policies toward those VLAN interfaces or bind them in a zone if there is not much distinction in policies.

Toshi

    AC_CHANGE
    AC_CHANGEAuthor
    Explorer
    April 2, 2025

    Thank you for your advice, I made changes and add policies toward those VLAN interface, unfortunately the situation has not changed. 


     

       FortiGate-60F (IPSec_VPN_Delta) # show config vpn ipsec phase1-interface     edit "IPSec_VPN_Delta"         set type dynamic         set interface "wan1"         set mode aggressive         set peertype any         set net-device disable         set mode-cfg enable         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set comments "VPN: IPSec_VPN_Delta (Created by VPN wizard)"         set wizard-type dialup-forticlient         set xauthtype auto         set authusrgrp "TESTVPN"         set ipv4-start-ip 192.168.200.100         set ipv4-end-ip 192.168.200.200         set dns-mode auto         set ipv4-split-include "IPSec_VPN_Delta_split"         set save-password enable         set client-auto-negotiate enable         set client-keep-alive enable         set psksecret ENC      next end    next     edit 29         set name "IPSec-VPN_to_VLAN-10"         set uuid f854ec12-0f99-51f0-e0ab-fdbe98229cb3         set srcintf "IPSec_VPN_Delta"         set dstintf "VLAN-10"         set action accept         set srcaddr "IPSec_VPN_Delta_range"         set dstaddr "VLAN-10 address"         set schedule "always"         set service "ALL"     next     edit 30         set name "IPSec-VPN_to_VLAN11"         set uuid f85dc512-0f99-51f0-1199-a6f3ce40ae14         set srcintf "IPSec_VPN_Delta"         set dstintf "VLAN-11"         set action accept         set srcaddr "IPSec_VPN_Delta_range"         set dstaddr "VLAN-11 address"         set schedule "always"         set service "ALL"     next     edit 31         set name "IPSec-VPN_TO_VLAN-15"         set uuid f8673250-0f99-51f0-5d3f-9de0cbc4bfc5         set srcintf "IPSec_VPN_Delta"         set dstintf "VLAN-15"         set action accept         set srcaddr "IPSec_VPN_Delta_range"         set dstaddr "VLAN-15 address"         set schedule "always"         set service "ALL"     next     edit 32         set name "IPSec-VPN_to_VLAN-20"         set uuid f86f1f60-0f99-51f0-7f57-a8b81bc3195e         set srcintf "IPSec_VPN_Delta"         set dstintf "VLAN-20"         set action accept         set srcaddr "IPSec_VPN_Delta_range"         set dstaddr "VLAN-20 address"         set schedule "always"         set service "ALL"     next
    AC_CHANGE
    AC_CHANGEAuthor
    Explorer
    April 2, 2025

    I was troubleshooting the issue and decided to try a different client. I used an Android phone with FortiClient VPN, and everything worked correctly—traffic flowed in both directions, and all necessary VLANs were reachable via ping. The Phase 1 and Phase 2 settings are the same on both clients.

    Terms & ConditionsAccessibility statement