Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎05-28-2020 11:16 PM Edited on ‎08-12-2025 02:36 PM By Staff

Article Id 192266

Technical Tip: Enable split-tunnel For IPsec VPN

Description

 

This article describes how to enable/disable split tunnel for IPsec dial-up VPN.

 

Scope

 

FortiGate.

Solution

 

Enable this feature while configuring the VPN tunnel via wizard as shown below.

 
If this option is enabled, then only internal traffic will be routed via the VPN tunnel.
If this option has been missed, and to re-enable or disable this option after configuring the tunnel, follow these steps:

Go to VPN -> IPSec Tunnels, edit the respective tunnel under 'Network', select the 'Enable IPv4 Split Tunnel' checkbox, and specify the internal subnet under 'Accessible Network'.
Note: The 'all'  subnet can not be used under 'Accessible Network' for the Split tunnel configuration, as the split tunnel will not work. 
 
1111.jpg
 
It may resemble the one above in an older edition, and it will resemble the one below in the most recent one.
 
accessiblenetwkipscvpn.PNG
 
Enable/disable this via CLI: 
 
config vpn ipsec phase1-interface
    edit DialUPVPN
        set ipv4-split-include "DialUPVPN_split"
end
 
Important:
  1. The 'Accessible Networks' Address needs to be of the subnet type - using an IP range is not supported, and will ignore the split tunnel enable settings by adding a default route instead of the range (if only one PC needs to be configured here, use /32 as the network mask).

 

Stephen_G_1-1696003829481.png

 

IKE debug will contain the following error when using IP ranges:

 

mode-cfg ignoring range 0:10.0.1.240-10.0.1.254:0, only ip/subnet supported

 

  1. If more than one local network needs to be allowed or just specific servers, an address group can be used instead of the address object.
  2. Make sure the group object set in 'Accessible Networks' includes the specific local network that the VPN client needs to reach instead of 'all'. If 'all' is included in that group, the VPN client will inject the default route 0.0.0.0 to the client machine and pass all traffic through the VPN tunnel.

 

Accessing FQDN via IPsec Split tunnel:

IPsec Split tunnel does not have a direct option to push FQDN networks to VPN users. It has the option to push network subnets only.
To get access to FQDN via the IPsec Split tunnel, the network IPs of the FQDN need to be manually added to the accessible network of the IPsec tunnel configuration.

This issue occurs when an FQDN-type address object is added to the address group defined in the ipv4-split-include configuration. 

The issue has been reported with a known issue ID 1134882 and is planned to be resolved in v7.4.8.

Troubleshooting Tip: ipv4-split-include setting Disappears When Editing Address Group in IPsec VPN

 

Note:

Configuring changes in the IPsec VPN while a user/s is connected, will disconnect them and will need to reconnect.

 

Related documents:

80611
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.