Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎10-11-2021 07:43 AM Edited on ‎12-29-2025 04:38 AM By Community Manager

Article Id 195645

Technical Tip: Split tunnelling on L2TP/IPsec VPN between FortiGate and Windows 10/11

Description


This article describes how to set up split tunneling on an L2TP/IPsec VPN between FortiGate and Windows 10/11. 

FortiOS does not support split tunnelling unless FortiClient is used. 

 

To enable L2TP split tunnelling directly in Windows 10/11 host: Technical Tip: How to enable split-tunnelling in Windows 10/11 (L2TP/PPTP VPN)

 

Some users have mixed environments, and it is necessary to be able to utilize the OS native VPN client.

 

Related documents:
IP to HEX: https://codebeautify.org/ip-to-hex-converter
HEX to IP: https://codebeautify.org/hex-to-ip-converter
Decimal to IP: https://codebeautify.org/decimal-to-ip-converter

 

Scope

 

FortiGate v7.0.1 and above.

 

Solution

 

L2TP VPN over IPsec is still used in many environments, and some users want to have split tunneling when L2TP VPN over IPsec is configured. 

 

If the traditional way is used, the configured L2TP range can access only IP addresses from that range, because the Firewall does not provide additional routes.

 
This can be solved by using a DHCP server configured on the L2TP interface with option 121.
 
Starting with FortiOS v7.0.1, it is possible to configure DHCP on L2TP by specifying a range.
 
Topology example.
 
 
Configure L2TP over an IPsec tunnel from the GUI.
 
Configure a user; in this example, 'FW user authentication' will be used:
  1. Go to User & Authentication -> User Definition and select 'Create New'. 
  2. Select 'Local User' and select 'Next'.
 
 
  1. Enter the user name, in this case, 'l2tpuser'.
 
 
  1. Select 'Next' to be ready.
 
A newly created user will be included in the user group 'l2tp_usergroup':
 
 
  1. Create an L2TP VPN using the building VPN wizard:
 
 
 
  1. As a local interface and addresses configure those IP addresses and interfaces that remote VPN users need to connect, for example, 'port2' and 'port3' of the FortiGate.
 
 
 
 
This wizard created 2 policy rules from the 'l2tp.root' interface to 'port2' and 'port3', but with this configuration, the remote VPN users can access only the 192.168.60.0/24 network, and no other routes are received. 
For that reason, it is possible to configure DHCP on the 'l2tp.root' interface with option 121, which is only possible with FortiOS v7.0.1 onwards.
 
  1. Configure the IP address for the 'l2tp.root' interface, using the first usable IP address from the L2tp range. Make sure to add the Remote IP/Nestmak with the second available usable IP from the L2tp range; otherwise, the route to the L2tp subnet will not be added accordingly and cause the split-tunnel route to fail to be pushed.
 
Screenshot 2024-12-16 092215.png
 
  1. Enable the DHCP server, lease address range 0.0.0.0-0.0.0.0, and select 'advanced':
 
 
  1. On the additional DHCP options, select 'Create new':
 
 
Option 121 will push static routes from DHCP. This option uses the hexadecimal representation of decimal values. Option 121 defines the following:

  • Subnet Mask (in CIDR notation) – Specifies the prefix length (e.g., /24, /16, /8).

  • Destination Subnet – The network address corresponding to the prefix length.

  • Next Hop – The gateway IP address the client should use to reach the destination subnet.

 
The final hexadecimal format is created by placing the hexadecimal values of subnet mask, destination subnet, and next-hop IP one after another with no separators.
 
<mask> <destination subnet> <next hop IP>
 
The destination subnet is written in a shortened form, but it can only be shortened to whole bytes (8 bits). It cannot stop in the middle of a byte. If the CIDR mask ends partway through a byte, the subnet is extended to the next full byte, and the remaining bits are filled with zeros.
 

Below are three examples for three different routes with their hex values on the right side. Spaces are added to make them easier to read:

 

   192.0.0.0/8 via 192.168.2.1   → 08 C0 C0A80201
   192.0.0.0/16 via 192.168.2.1 → 10 C000 C0A80201
   192.0.0.0/20 via 192.168.2.1 → 14 C00000 C0A80201


In the above example extra zeros in the destination subnet parts can be seen. These zeros are added because the subnet must include the entire byte where the CIDR mask ends. Even though the added bits are all zero, they still make the encoded output longer.

In short, subnets are shortened, but only to full bytes. When the mask doesn’t line up exactly, zeros are added to reach the next byte boundary.

 
In this case, 2 static routes as follows are attempted to be pushed:
 
192.168.2.0/24 via 192.168.60.1 and 192.168.1.0/24 via 192.168.60.1 which are connected networks to port2 and port3.
 
Route 1: 192.168.2.0/24 via 192.168.60.1 converted to HEX value:
 
Decimal value                HEX value 
/24                                18
192.168.2.0                   C0A802
192.168.60.1                 C0A83C01
 
192.168.2.0/24 via 192.168.60.1 -> 18C0A802C0A83C01
 
Route 2: 192.168.1.0/24 via 192.168.60.1 converted to HEX value:
 
Decimal value                HEX value 
/24                                18
192.168.1.0                   C0A801
192.168.60.1                 C0A83C01
 
192.168.1.0/24 via 192.168.60.1 -> 18C0A801C0A83C01
 
Final HEX value:
 
18C0A802C0A83C0118C0A801C0A83C01
 
DHCP option 121 calculators can be used for the HEX value of the static routes
 
To push more than 2 routes, just add the third HEX-converted route after the last one.
 
From CLI.
 
config system dhcp server
    edit 1
        set default-gateway 192.168.60.1
        set netmask 255.255.255.255
        set interface "l2t.root"
            config options
                edit 1
                    set code 121
                    set value "18C0A802C0A83C0118C0A801C0A83C01"
                next
            end
    next
end

 

Windows 10 output:

 

kb_20808_13.png

 

If, after connecting to the L2TP VPN, the routes are not shown, one possible solution would be to try splitting up the networks.

For example, the following route is being pushed 172.16.1.0/22 via 192.168.89.1, the hex should be '16AC1001C0A85901'.

 

If this is not working, try pushing routes for:

  • 172.16.1.0/24 via 192.168.89.1.
  • 172.16.2.0/24 via 192.168.89.1.
  • 172.16.3.0/24 via 192.168.89.1.

 

In this case, the hex value for the DHCP Option 121 will now look like '18AC1001C0A8590118AC1002C0A8590118AC1003C0A85901'.

 

Related article:

Technical Tip: How to connect Windows 10 client to L2TP VPN network

 

Note:

In some scenarios, configuring split tunneling may result in clients losing internet connectivity via their local NIC adapter. To troubleshoot this issue, inspect the routing table on the host after establishing the L2TP tunnel connection.

 

Verify that the route is directed to the local adapter. If the default route points to the L2TP tunnel instead, review the following configuration settings in the L2TP tunnel adapter:

 

2025-04-02 08_59_41-Network Connections.png

 

  1. Open the adapter's Properties.
  2. In the Networking tab, select Internet Protocol Version 4 (TCP/IPv4) and select 'Properties'.
  3. Select 'Advanced'.
  4. Under IP settings, ensure that the option 'Use default gateway on remote network' is unchecked. (by default, it is checked)

 

Once the change is made, the L2TP connection must be re-established for the changes to take effect.

Labels:
19719
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.