Technical Tip: Accessing Specific Internet Destinations via Dialup IPSec with Split Tunneling

Split tunneling allows splitting Internet traffic from local traffic. When enabled remote VPN users can access the Internet using local ISP. When disabled remote VPN users can access the Internet using FortiGate to apply the necessary security settings and for log monitoring.

In some cases, it is required to access specific Internet destinations with split tunneling enabled. To allow such access configure the following:

1. Add the specific IPv4 Internet addresses in the addresses group in Accessible Networks in the relevant dialup VPN settings.
2. Create additional firewall policy from the tunnel interface to the public interface with NAT enabled. The destination address on the policy should include the address group.

Example:

Assume the configured dialup vpn tunnel name is 'Test', split-tunneling is enabled, addresses group name Test_split, port1 is the public interface, and port3 is the internal interface. The requirement is to only allow the traffic of the Internet destination www.example.com (DNS resolves to: 93.184.215.14) to go via the Test tunnel. All other Internet destinations should go via the local ISP of the remote FortiClient user.

1. In addition to Internal_Subnets (port3 subnet) need to include 93.184.215.14 in the Test_split addresses group as follows (Select VPN -> IPSec Tunnels -> Test -> Edit).

2. Configure additional firewall policy Dialup_Internet in addition to existing Dialup_Internal policy with destination address Test_split group (Select Policy & Objects > Firewall Policy).
                                                          

Relevant CLI:

config vpn ipsec phase1-interface

    edit "Test"

        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: Test"
        set xauthtype auto
        set authusrgrp "Guest-group"
        set assign-ip-from name
        set dns-mode auto
        set ipv4-split-include "Test_split"
        set ipv4-name "Test_SRC_Addresses"
        set save-password enable
        set psksecret ENC PxGTLs2CxA3FGMtB

    next
end

config firewall addrgrp

    edit "Test_split"

        set member "Example.com_Addr" "Internal_Subnets"

    next
end

config firewall address

    edit "Test_SRC_Addresses"

        set type iprange
        set start-ip 10.10.10.1
        set end-ip 10.10.10.10

    next
    edit "Example.com_Addr"

        set subnet 93.184.215.14 255.255.255.255

    next
    edit "Internal_Subnets"

        set subnet 192.168.1.0 255.255.255.0

    next
end

config firewall policy

    edit 3

        set name "Dialup_Internal"
        set srcintf "Test"
        set dstintf "port3"
        set action accept
        set srcaddr "Test_SRC_Addresses"
        set dstaddr "Test_split"
        set schedule "always"
        set service "ALL"
        set logtraffic all

    next
    edit 2

        set name "Dialup-Internet"
        set srcintf "Test"
        set dstintf "port1"
        set action accept
        set srcaddr "Test_SRC_Addresses"
        set dstaddr "Test_split"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable

    next
end

Note: FQDNs are not allowed in the Test_split addresses group however they are allowed in the relevant firewall policy.