Configure an IPsec VPN Split tunnel with ... - Fortinet Community

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 378182

Description

This article describes how to configure IPsec dial-up VPN tunnel with an external DHCP server on the FortiClient.

Scope

FortiGate, FortiClient.

Solution

GUI configuration:

In this example, create a dial-up tunnel via the IPsec wizard by selecting 'custom' as the template type.
Specify the parameters as shown in the screenshot below:

Add the User group under XAUTH settings
Make sure to disable ‘Mode Config’ which is present in IPsec Phase 1 settings.

Go to the Network -> Interfaces, select the IPsec interface under the assigned WAN connection.

Change the addressing mode to manual with IP as 0.0.0.0 and Remote IP/Netmask as 0.0.0.0/0.0.0.0.
Enable DHCP server and select advanced settings.
Select 'Relay' as the mode, select 'IPsec' as the type, and specify the external DHCP server IP.

For the firewall policy, configure a policy from IPsec interface to Internal interface with source as IP range that is reserved on the DHCP server and destination as Internal subnet.
On the FortiClient, Enable DHCP over IPsec in the advanced settings section:

Enable IPv4 Split tunnel and specify the designated internal network subnet.

Save the configuration and login with user credentials.
Once connected, the address will get assigned from the external DHCP server.

310

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2025 Fortinet, Inc. All Rights Reserved.