FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
2) Change the IPsec client range subnet mask to /24 or /16 from /32 (255.255.255.255) which is default config.
3) Under split tunnel go to Accessible network, add the address of this client IPs range with address type as subnet of /16 or /24. (without this is not able to be added as a subnet into the clients).
For this create the new address object with the subnet type. For example, the 10.10.10.0/24 (where 10.10.10.0/24 is the client IP range). Add it to the address group of accessible network (in example: dailup_split).
4) Finally configure the IPv4 policy between same source and destination address and same VPN virtual interface as incoming and outgoing interface. Example: Policy and Object -> IPv4 policy and select 'Create New'.
And then client can communicate between each other doing simple tests like below.
Check ping between clients:
Check packet sniffer:
Check debug flow:
Also need to remember and it is very important, do not put a range on the split tunnel address for dialup clients, create a new firewall address and add it into the group address of the split tunnel.
If the subnet is not used, it will not be added on the routes of the dialup clients.
Check the routing table on the units to check if the route is added.