Technical Tip: Forward traffic to public IP using IPsec VPN Dial-up Wizard

aleguizamon · ‎01-14-2025

Description

This article describes a situation where one specific IP needs to be accessed through FortiGate public IP, while keeping a split tunnel enabled in a Dial-up VPN.

Scope

FortiGate VPN.

Solution

In this example, remote users need to access a remote website that only allows FortiGate's public IP and a full-tunnel VPN is not a feasible option.

Create the Address Object type subnet for the destination IP:

Note:

The IPSec VPN does not support FQDN objects for split tunnels: Enable split-tunnel For IPsec VPN - Fortinet Community

Create IPSec VPN under VPN -> IPSec Wizard -> Remote Access -> Client-Based -> FortiClient:

Select the incoming interface, and add preshared-key and user group.
In the Local interface, select internal/LAN interface and wan interface.
In the local address, add the LAN subnet object and the website address created in step1.

Go to Firewall policies and adjust the destination address.

In the VPN to internal policy, remove the website address from the destination.
In the VPN to wan policy, remove the LAN address from the destination.

GILMENDO · ‎01-17-2025

Great job @aleguizamon thank you for your contribution!

MaryBolano · ‎01-17-2025

Amazing job @aleguizamon, Keep it up!!! ☺

JorgeMonroyPad · ‎01-17-2025

Great documentation, @aleguizamon!!! Keep it up!!!

Technical Tip: Forward traffic to public IP using IPsec VPN Dial-up Wizard

You are leaving our website