Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abalachandran
Staff
Staff

Created on ‎09-20-2024 03:12 AM

Article Id 342738

Technical Tip: Unsupported Address Types for Remote Access VPN Split Tunnel

Description

This article describes unsupported Address Types for Remote Access VPN Split Tunnel.
Scope FortiGate. 
Solution
  1. FortiGate only supports subnet address objects to be configured for split tunneling for remote access VPN (while configuring, it can be observed that only type ‘subnet’ address member will be added in the automatically created group (if using wizard) or ‘subnet’ address group will listed as an option for split tunneling (if config is done manually).
  2. However, some users may find that after performing the initial configuration, it can be possible to add address objects of other types besides type ‘subnet’ directly into the address group defined under ipv4-split-tunnel after the ipsec configuration has been completed.

Example:

 

image.png

 

image.png

 

In the example above, additional members with FQDN address object types were added by the user manually after referencing the group split tunnel parameter first. Two FQDN addresses that were added into the group (FQDN02 & IPSEC_FQDN_Test). 

 

It is to be expected that the FortiGate will not advertise the unsupported address types to the remote user.

Observation from the user machine once the dialup tunnel gets formed:

 

Active Routes:

 

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.47.15.254 10.47.3.139 16

10.47.0.0 255.255.240.0 On-link 10.47.3.139 271

10.47.3.139 255.255.255.255 On-link 10.47.3.139 271

10.47.15.255 255.255.255.255 On-link 10.47.3.139 271

10.100.0.10 255.255.255.255 On-link 10.100.0.10 257

10.136.0.0 255.255.240.0 10.100.0.11 10.100.0.10 1 -------------> Only route added for split tunnel via dialup.

 

FortiGate IKE debug:


ike 0:TestDialup_0:28: mode-cfg assigned (1) IPv4 address 10.100.0.10
ike 0:TestDialup_0:28: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
ike 0:TestDialup_0:28: mode-cfg send (13) 0:10.136.0.0/255.255.240.0:0

 

The output in the scenario above shows that only the subnet type address from the address group is advertised by the FortiGate to the dial-up user. In this scenario, 10.136.0.0/255.255.240.0 is the subnet configured under the 'LAN' address object who is a member of the 'TestDialup_split' address group, which is the expected behavior. 
Labels:
171
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.