Description

This article describes an issue observed on FortiGate, where the IPv4-split-include setting in an IPsec Phase1-interface configuration disappears after modifying the associated address group. Although the configuration appears intact via CLI, the setting is lost after a system reboot, causing potential disruption to split tunneling functionality.

Scope

FortiGate v7.2.11, v7.4.7.

Solution

When an address group is assigned to the IPv4-split-include setting in an IPsec Phase1-interface, adding a new address object to the group causes the setting to vanish from the GUI.

In the IPsec Phase1-interface configuration, split tunneling is implemented by defining the address group 'VPN_SplitGrp' in the ipv4-split-include parameter:

config vpn ipsec phase1-interface
    edit "Client_VPN"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype any
        set net-device enable
        set mode-cfg enable
        set ipv4-dns-server1 192.20.10.10
        set ipv4-dns-server2 192.20.10.11
        set ipv4-dns-server3 8.8.8.8
        set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
        set dpd on-idle
        set comments "VPN: MobileVPN (Created by VPN wizard)"
        set xauthtype auto
        set authusrgrp "Admin_GRP"
        set ipv4-start-ip 192.168.42.10
        set ipv4-end-ip 192.168.42.200
        set ipv4-netmask 255.255.255.0
        set ipv4-split-include "VPN_SplitGrp"
        set save-password enable
        set psksecret ENC 6PzRNssKVoMyTzQNjz889alQF7yVvhgCek59q9NZG/NJwfa4kOHrmwxHJTh7ul4P064SVC5H2aCe2KdoXiEVJdsxXeFrPOvHEKbTveD8uln3oyyyhXYhvVioWxdCmZwyyjgNv7tlZaON7X9rZJXMA44lKRC+recezQPE7SbinhORb7hc8VDrtm/3E77S84yz+F6VsllmMjY3dkVA
        set dpd-retryinterval 60
    next
end

Firewall address group:

When the address object 'servers' is added to the 'VPN_SplitGrp' address group, the associated address group configured in the accessible network section of the GUI disappears.

config firewall addrgrp
    edit "VPN_SplitGrp"
        set uuid 78382660-2336-51f0-5c59-503b3c38bdef
        set member "192.168.2.0-NW" "192.168.4.0/24" "servers"
    next
end

Upon checking through the CLI, the 'VPN_SplitGrp' address group remains listed under ipv4-split-include. However, after a system reboot, the IPv4-split-include configuration is cleared, as illustrated below:

config vpn ipsec phase1-interface
    edit "Client_VPN"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype any
        set net-device enable
        set mode-cfg enable
        set ipv4-dns-server1 192.20.10.10
        set ipv4-dns-server2 192.20.10.11
        set ipv4-dns-server3 8.8.8.8
        set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
        set dpd on-idle
        set comments "VPN: MobileVPN (Created by VPN wizard)"
        set xauthtype auto
        set authusrgrp "Admin_GRP"
        set ipv4-start-ip 192.168.42.10
        set ipv4-end-ip 192.168.42.200
        set ipv4-netmask 255.255.255.0
        set save-password enable
        set psksecret ENC CXSTQ4c+5Z84jCBWatKdUQkdrV69dgrXhUxvevslWPaTTLnR0Wrk799RREgEueZJc5iPot8UKyaAJwTDm/piBuSf/G7mnpceqT1S/qn6EtosqXAVQEeJhdFp9qF8szO6pXgQeZXKMWZmRoFbvTZBzqAiY+rLOTwU9llX0SGUxe6aXLXmFuoNTUN2yqxSFaA87xuyUFlmMjY3dkVA
        set dpd-retryinterval 60
    next
end

This issue is triggered only when an FQDN-type address object is added to the address group defined in the IPv4-split-include configuration. 

This issue has been resolved in FortiOS version v7.4.8.