Description
An understanding of how routes are populated in FortiClient SSL VPN Tunnel Mode is useful in order to avoid configuration issues where some networks cannot be accessed due to missing routes.
Scope
FortiClient SSL VPN + FortiOS 4.3, 5.0, 5.2
Solution
In FortiOS 5.0 routes are populated based on destinations included in the SSL VPN auth policy (with action ssl-vpn) and are not based on tunnel access policies (with ssl.root interface).
[Protected networks] --- [FortiGate] --- <SSL VPN TUNNEL MODE> --- [FortiClient]
Add all accessed (protected) networks to auth policy as a destination; only these destinations will be populated to the SSL VPN client routing table when split-tunneling is enabled.
The situation is more intuitive in FortiOS 5.2 where on the "VPN > SSL > Portals" page the "Routing Address" can be explicitly defined as shown below:
[Protected networks] --- [FortiGate] --- <SSL VPN TUNNEL MODE> --- [FortiClient]
Add all accessed (protected) networks to auth policy as a destination; only these destinations will be populated to the SSL VPN client routing table when split-tunneling is enabled.
The situation is more intuitive in FortiOS 5.2 where on the "VPN > SSL > Portals" page the "Routing Address" can be explicitly defined as shown below:
