Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSEC Split Tunnel push route on Client

Hi All,


i've Set up an IPSEC DialUp VPN on a Fortigate and want to enable Split Tunnel.


VPN Client Windows 10 Built In


Internal Network 1: /

Internal Network 2: /


When i Connect with the Windows Client there will be a Route to Network 1 pushed to the Client.

But no route to Network 2. 


When i add the route manually to the windows Client everything works as expected.


How can i tell the Fortigate to push this route to the Client?






config vpn ipsec phase1-interface
    edit "Employees"
        set type dynamic
        set interface "****"
        set ike-version 2
        set local-gw *****
        set authmethod signature
        set net-device disable
        set mode-cfg enable
        set proposal aes256gcm-prfsha384
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set authusrgrp "RADIUS"
        set certificate "VPN ******"
        set peer "******"
        set assign-ip-from dhcp
        set dns-mode auto
        set ipv4-split-include "VPN-Employees-Split"
        set client-auto-negotiate enable
        set client-keep-alive enable
        set dpd-retryinterval 60

config vpn ipsec phase2-interface
    edit "Employees"
        set phase1name "Employees"
        set proposal aes256gcm
        set dhgrp 20
        set keepalive enable
        set keylifeseconds 3600







Split Group "VPN-Employees-Split" is a group that contains Subnet Internal Network 1 & 2


Is this even possible what i want to do?
(Forti OS 7.2.2)


Hi @simmon 


In the address group "VPN-Employees-Split", are both the subnets defined as type 'subnet'? IP Range is not supported actually.


Please also use FortiClient instead of Windows native VPN client.

New Contributor

One is type "Subnet" and the Other is type "Interface Subnet" but i've also created both as "Subnet" and there was no difference. 


We would like to use Windows Internal Client as we use this at the moment with another Firewall and we want to replace this Solution with this Fortinet. Forticlient would also need to deploy on all Systems which will be an additional hughe project.


Please run IKE debugs to find out if the second subnet is pushed by Fortigate or Windows doesn't accept it.

diag debug reset
diag vpn ike log-filter dst-addr4 <ip.of.remote.peer>
diag debug app ike -1
diag debug console timestamp enable
diag debug enable


Meanwhile, please also check with FortiClient on one PC for testing purpose if the same issue is observed.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors