FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
haljawhari
Staff
Staff
Article Id 198287
Description
In some scenarios, mode config option may is disabled on a dialup client-to-site IPsec VPN tunnel.
The Assigned IP address, DNS server and split tunnel addresses is manually set.
However, the split tunnel option is not visible in the GUI of Mac OS version of FortiClient.

This article describes how configure split tunnel addresses on Mac OS When the options are manually set.

Solution
The solution is to add the split tunnel routing addresses by editing the tunnel settings from FortiClient configuration file and restoring it back after making the changes.

NOTE.
The same configuration works on Windows version of FortiClient.
Mac OS version has been explicitly mentioned because of the feature’s invisibility in the platform’s FortiClient GUI.


NOTE.
FortiClient Requires 'Full Disk Acess' permissions in Mac OS Privacy Settings in order for the configuration restore feature to work.
Refer to FortiClient Mac OS release notes for more details.


1) Download Forticlient configuration backup (XML file) from FortiClient settings.
2) Open the file using a text editor (e.g. NotePad++).
3) Search for the IPSec tunnel name.
4) The split tunnel addresses is added under the tag <remote_networks> under the required tunnel.
Each address is added in a <network> tag as per the below example(the split tunnel configuration is in bold text. Other irrelevant parts of the configuration are removed for simplicity):



<ipsecvpn>
            <options>
                …
                …
            </options>
            <connections>
            …
            …
                <connection>
                    <name>IPSEC_TUNNEL_1</name>
                    <type>manual</type>
                    <ike_settings>
                       …
                       …
                    </ike_settings>
                    <ipsec_settings>
            <remote_networks>
           <network>
    <addr>172.16.100.0</addr>
    <mask>255.255.255.0</mask>
          </network>
           <network>

    <addr>172.16.120.0</addr>
    <mask>255.255.255.240</mask>

           </network>     
            …
            …             
       </ipsec_settings>
         …
         …
     </connection>
      …
      …
   </connections>
</ipsecvpn>

Contributors