Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ACS1
New Contributor

Local internet traffic going through split tunnel

I've got a Fortigate 60F and connecting from a Samsung S22 phone.

 

I've set up a IPSec tunnel using PSK and IKEV2 and split tunnel. It connects fine, but all of the traffic wants to go through the VPN and not just non-internet traffic that I want. I'm assuming I'm pushing a 0.0.0.0 0.0.0.0 route somehow, but I don't see where. My local subnet is 192.168.0.0/22 which I have in the "Remote Address" under "Phase 2 Selectors".

 

Thoughts on what I can check?

12 REPLIES 12
Mrinmoy
Staff
Staff

What is the Forti client and Forti OS firmware you have?

can you please type the following command from Windows CL after connecting to the VPN and share the output here?

> route print

Mrinmoy Purkayastha
ACS1
New Contributor

The Forti OS is 7.4.0. I'm using the native Android vpn client rather than the Forti client.

hbac
Staff
Staff

Hi @ACS1

 

Have you tried IKEv1 or try using FortiClient? 

 

Under android setting there is an option to select forwarding routes, and by default it's 0.0.0.0/0. You can change that to subnet you want to access via VPN, that should be the only subnet forwarded via the tunnel. It should be under VPN settings > Forwarding Routes. 

 

Regards,

vbandha
Staff
Staff

Can you check if the 'Enable IPv4 split tunnel' option is enabled and you have configured the accessible networks?

Here is an article that goes over this configuration:
Technical Tip: Enable split-tunnel For IPsec VPN - Fortinet Community

lgupta
Staff
Staff

Hey.
Can you please share the output of the following command? (PLEASE MASK THE CONFIDENTIAL DETAILS) ??
show vpn ike phase1-interface <name_of_tunnel>

Best regards,

-lgupta



If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
ap
Staff
Staff

Hi @ACS1,

You can confirm that you have enabled split tunnel (check-marked) and Accessible Network has address object specifying the specific LAN subnet. (i.e. it should not be set to 0.0.0.0/0)

You can refer below KB article for the same:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192...

If you are using any other client apart from Forticlient, you can see below article on how to push static routes for local subnets:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Split-tunneling-on-L2TP-IPSEC-VPN-between/...

Regards,
AP

jamespride815
New Contributor

It sounds like a routing issue in your IPSec tunnel configuration. To ensure only non-internet traffic goes through the VPN, check the following:

  1. Verify your split tunneling settings to ensure they are correctly configured.

  2. Double-check the routing tables on both ends to make sure you are not pushing a default route (0.0.0.0/0) through the VPN.

  3. Review your Fortigate firewall policies and make sure they Walentina allow the desired traffic.

  4. Consider checking the VPN logs for any clues on the routing behavior.

If the issue persists, consulting Fortigate support or community forums may provide more specific guidance tailored to your setup.

frantvesson101
New Contributor

It sounds like you've set up the VPN, but encountering an issue with traffic routing. Since you're using a Fortigate 60F, it might be worth double-checking the routing policies and make sure you're not inadvertently pushing all traffic through the perte de VPN. Additionally, ensure your split tunnel configuration is correctly applied to allow only specific traffic through the VPN. If the issue persists, consulting Fortinet's support resources or community forums might provide further insights. Good luck with your setup! 

 
jhondrake8205
New Contributor

It seems like your VPN is tunneling all traffic instead of just the desired non-internet traffic. Double-check your routing settings on both ends to ensure you're not inadvertently routing all traffic through the VPN. Also, verify the settings for split tunneling on your Fortigate 60F to ensure it's properly configured to only route specific traffic through the VPN. Additionally, reviewing the Step Guide  Phase 2 Selectors and any routing rules might provide further insights. Good luck troubleshooting!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors