FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 192266

Description

 

This article describes how to enable/disable split tunnel for IPsec dial-up VPN.

 

Scope

 

FortiGate.

Solution

 

Enable this feature while configuring the VPN tunnel via wizard as shown below.

 
If this option is enabled, then only internal traffic will be routed via the VPN tunnel.
If this option has been missed and to re-enable or disable this option after configuring the tunnel, follow these steps:

Go to VPN -> IPSec Tunnels, edit the respective tunnel under 'Network', select the 'Enable IPv4 Split Tunnel' checkbox and specify the internal subnet under 'Accessible Network'.
Note: The 'all'  subnet can not be used under 'Accessible Network' for the Split tunnel configuration, as the split tunnel will not work. 
 
Stephen_G_0-1696003710286.png
 
It may resemble the one above in an older edition, and it will resemble the one below in the most recent one.
 
accessiblenetwkipscvpn.PNG

 

 
Enable/disable this via CLI: 
 
config vpn ipsec phase1-interface
    edit DialUPVPN
        set ipv4-split-include "DialUPVPN_split"
end
 
Important:
  1. The 'Accessible Networks' Address needs to be of the subnet type - using an IP range is not supported and will ignore the split tunnel enable settings by adding a default route instead of the range.

 

Stephen_G_1-1696003829481.png

 

IKE debug will contain the following error when using IP ranges:

 

mode-cfg ignoring range 0:10.0.1.240-10.0.1.254:0, only ip/subnet supported

 

  1. Make sure the group object set in 'Accessible Networks' includes the specific local network that the VPN client needs to reach instead of 'all'. If 'all' is included in that group, the VPN client will inject the default route 0.0.0.0 to the client machine and pass all traffic through the VPN tunnel.

 

Accessing FQDN via IPsec Split tunnel:

IPsec Split tunnel does not have a direct option to push FQDN networks to VPN users.
It has option to push network subnets only.
To get access to FQDN via the IPsec Split tunnel, the network IPs of the FQDN need to be manually added to the accessible network of IPsec tunnel configuration.

 

Note: Configuring changes in the IPsec VPN while a user/s is connected, will disconnect them and will need to reconnect.