In this example, L2TP was used.

All traffic from this machine is going through the FortiGate.

To enable split-tunneling:

1. Go to L2TP properties in Control Panel\Network and Internet\Network Connections.

2. Then on the VPN Connection Properties window, go to the Networking tab, select Internet Protocol Version 4 (TCP/IPv4), and select Properties.

3. On the Internet Protocol Version 4(TCP/IPv4) Properties, select Advanced.

4. Deselect the Use default gateway on the remote network box and try to reconnect to the VPN.

Results:

A split-tunnel route has automatically been created to its respective classful address.

For Windows 11:

1. Open the search bar and look for the settings:
                                                                           
                                                                                         
2. Go to Network & Internet and VPN:
                                                               
                                                                                       
3. Select the VPN connection and select Advanced Options:
                                                                    
                                                                         
4. On the VPN selected, select Edit on More VPN properties:
                                                                                          
    
5. In the Properties menu go to Networking, select Internet Protocol Version 4 (TCP/IPv4), and select Properties:
                                                                                 
                                                                                    
6. Once in the Advance TCP/IP Settings, go to IP Settings and unselect the Use default gateway on remote network option:
                                                                           

Note:
This method will prevent the VPN from injecting the default route using the VPN tunnel interface, but it will also not add any other routes that have been advertised using DHCP option 121. To enable split-tunneling to other local subnets:

• After adding the subnets using DHCP option 121, enable the 'dhcp-ipsec' option in the IPsec phase2 configuration with the following commands:

config vpn ipsec phase2-interface
    edit <tunnel_phase2_name>
       set dhcp-ipsec enable
    next
end

For more info on adding IP subnets using DHCP option 121, refer to Technical Tip: Split tunneling on L2TP/IPsec VPN between FortiGate and Windows 10.

If the users are unable to access the Internet after applying the above configuration, follow the steps outlined in Technical Tip: Resolving internet connectivity issues with L2TP.