Technical Tip: Configuring exclusions in an IPsec dial-Up full-tunnel for subnets that should not be accessed over the tunnel

Kush_Patel · ‎01-05-2026

Description

This article describes how to create exclusions from a full-tunnel IPsec configuration using the 'ipv4-split-exclude/ipv6-split-exclude' on option used in FortiGate's IPsec mode-config VPN settings. It allows an administrator to specify to the IPsec VPN Client which IPv4/IPv6 traffic should be excluded from the IPsec tunnel. This means that the specified traffic will not be sent through the VPN and will instead be routed through the local network. In this scenario, a Zscaler web filtering client is expected to establish a connection using local internet provider instead of through the IPsec tunnel to the FortiGate.

Scope

FortiGate 7.0 and above.

Solution

The 'exclude' option in IPsec mode-config settings is useful for managing traffic flow and ensuring that only necessary data is sent through the VPN. The 'split-include' and 'split-exclude' settings can be specified at the same time.

For an example, if there is a requirement to send all the intranet and internet traffic through VPN tunnel except for a subnet such as 100.64.0.0/16 (Zscaler Private Access) , to achieve this the below changes needs to be applied.

1. Create an address object/address group:

config firewall address
edit "Zscaler_exclude"
set subnet 100.64.0.0 255.255.0.0
next
end

2. Add the above address object/address group to the IPsec Phase1 configuration using 'ipv4-split-exclude':

config vpn ipsec phase1-interface
edit <IPSEC>
set ike-version {1 | 2}
set type dynamic
set mode-cfg enable
set ipv4-split-exclude "Zscaler_exclude"
next
end

Before making the change, the output of routing table on the IPsec VPN Client windows machine when connected through the tunnel should show something similar to:

C:\Users\fortinet> route print

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.44 40 (Local Default Route)

0.0.0.0 0.0.0.0 10.147.174.2 10.147.174.1 2 (IPSEC VPN Route)

10.147.174.1 255.255.255.255 On-link 10.147.174.1 257 (IPSEC VPN Route)

127.0.0.0 255.0.0.0 On-link 127.0.0.1 331

127.0.0.1 255.255.255.255 On-link 127.0.0.1 331

After adding 'set ipv4-split-exclude "Zscaler_exclude"' in the IPsec dial-up tunnel configuration, a new local route is injected into the client routing-table.

C:\Users\fortinet> route print
IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.44 35 (Local Default Route)

0.0.0.0 0.0.0.0 10.147.174.2 10.147.174.1 2 (IPSEC VPN Route)

10.147.174.1 255.255.255.255 On-link 10.147.174.1 257 (IPSEC VPN Route)

100.64.0.0 255.255.0.0 192.168.0.1 192.168.0.44 35 (split-exclude local route)

127.0.0.0 255.0.0.0 On-link 127.0.0.1 331

127.0.0.1 255.255.255.255 On-link 127.0.0.1 331

After connecting to the VPN, it can be verified that the route for subnet 100.64.0.0/16 was installed through the local internet provider. All traffic will go through the VPN tunnel except for traffic destined to the subnet 100.64.0.0/16.

Technical Tip: Configuring exclusions in an IPsec dial-Up full-tunnel for subnets that should not be accessed over the tunnel

You are leaving our website