| Description |
This article describes how to verify the SSL VPN split tunnel route. |
| Scope |
FortiGate v7.2 and above. |
| Solution |
The SSL VPN split tunnel is enabled based on the policy destination in SSL VPN portal.
In the SSL VPN policy, the destination address is 192.168.28.0/24, so traffic destined to this subnet will be sent to the SSL VPN tunnel. Other traffic will not be sent to the tunnel:
config firewall policy edit 2 set name "SSLVPN" set uuid 9601eebe-907a-51ef-7239-e297ccce9b9b set srcintf "ssl.root" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "192.168.28.0" set schedule "always" set service "ALL" set nat enable set users "test-vpn" next end
To verify the route on the split tunnel, run the command 'route print' if the client is a Windows device:
In the above routing table, the IP address 10.212.134.200 is assigned by the FortiGate to the FortiClient. The gateway 10.212.134.201 is the next IP address to the assigned IP 10.212.134.200. This shows that the split tunnel has added the route to the client.
It is possible to run a similar command in Linux to list the routes provided by the FortiClient. Use the following command in the terminal: It is possible to see that some subnets are going through the tunnel 'fctvpnb1ce8884'.
|
