Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
simmon
New Contributor

Created on ‎10-25-2022 11:32 PM Edited on ‎10-25-2022 11:34 PM

IPSEC Split Tunnel push route on Client

Hi All,

 

i've Set up an IPSEC DialUp VPN on a Fortigate and want to enable Split Tunnel.

 

VPN Client Windows 10 Built In

Fortigate

Internal Network 1: 10.0.0.0 / 255.0.0.0

Internal Network 2: 192.168.170.0 / 255.255.255.0

 

When i Connect with the Windows Client there will be a Route to Network 1 pushed to the Client.

But no route to Network 2. 

 

When i add the route manually to the windows Client everything works as expected.

 

How can i tell the Fortigate to push this route to the Client?

 

 

 

 

 

config vpn ipsec phase1-interface
    edit "Employees"
        set type dynamic
        set interface "****"
        set ike-version 2
        set local-gw *****
        set authmethod signature
        set net-device disable
        set mode-cfg enable
        set proposal aes256gcm-prfsha384
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set authusrgrp "RADIUS"
        set certificate "VPN ******"
        set peer "******"
        set assign-ip-from dhcp
        set dns-mode auto
        set ipv4-split-include "VPN-Employees-Split"
        set client-auto-negotiate enable
        set client-keep-alive enable
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "Employees"
        set phase1name "Employees"
        set proposal aes256gcm
        set dhgrp 20
        set keepalive enable
        set keylifeseconds 3600
    next
end

 

 

 

 

 

 

Split Group "VPN-Employees-Split" is a group that contains Subnet Internal Network 1 & 2

 

Is this even possible what i want to do?
(Forti OS 7.2.2)

Labels:
1653
0 Kudos
3 REPLIES 3
alif
Staff
Staff

Created on ‎10-26-2022 12:47 AM

Hi @simmon 

 

In the address group "VPN-Employees-Split", are both the subnets defined as type 'subnet'? IP Range is not supported actually.

 

Please also use FortiClient instead of Windows native VPN client.

Regards,
SFA
1636
0 Kudos
simmon
New Contributor
In response to alif

Created on ‎10-26-2022 12:54 AM

One is type "Subnet" and the Other is type "Interface Subnet" but i've also created both as "Subnet" and there was no difference. 

 

We would like to use Windows Internal Client as we use this at the moment with another Firewall and we want to replace this Solution with this Fortinet. Forticlient would also need to deploy on all Systems which will be an additional hughe project.

1632
0 Kudos
alif
Staff
Staff
In response to simmon

Created on ‎10-26-2022 01:50 AM

Please run IKE debugs to find out if the second subnet is pushed by Fortigate or Windows doesn't accept it.

diag debug reset
diag vpn ike log-filter dst-addr4 <ip.of.remote.peer>
diag debug app ike -1
diag debug console timestamp enable
diag debug enable

 

Meanwhile, please also check with FortiClient on one PC for testing purpose if the same issue is observed.

Regards,
SFA
1630
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.