No internet access connecting to IPsec VPN with split tunnel enabled

slartibartfast · ‎11-11-2020

We are migrating from a Fortigate 30E (firmware 5.4.3) to a FortiWiFi 60F (firmware 6.4.3). The IPsec VPN on the new device was set up using the wizard, and with split tunnel enabled. This worked fine on the old unit but on the new one the VPN works but cuts off internet access. (We also have SSL VPN configured for split tunnel and there is no problem with that on either device.)

What appears to be happening is that after connecting to the 60F's IPsec VPN, the routing table on the client winds up with two default routes. The additional default route added points to an address in the VPN tunnel and internet access no longer works. This does not happen when connecting to the 30E's IPsec VPN, or SSL VPN on either device.

Client software is Forticlient 5.6.2.117 running on Windows 10. I have double-checked that "Enable IPv4 Split Tunnel" is enabled in the 60F's IPsec configuration, and accessible networks is set to "IPsec VPNsplit". Is there some other setting required to get split tunneling to work?

sw2090 · ‎11-11-2020

I'd suggest upgrading FortiClient. I'm not sure if FortiClient 5.6 is still 100% compatible with FortiOS 6.4.

I remember having had similar issues which were fixed by upgrading Forticllient.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎11-11-2020

I'd suggest upgrading FortiClient. I'm not sure if FortiClient 5.6 is still 100% compatible with FortiOS 6.4.

I remember having had similar issues which were fixed by upgrading Forticllient.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

slartibartfast · ‎11-12-2020

As a test I uninstalled the old Forticlient and installed the latest (version 6.4), but unfortunately the problem persists. Exact same symptom, the VPN works but internet is cut off and two default gateways appear in the routing table

slartibartfast · ‎11-13-2020

As a further test I disabled split tunnel in the IPsec configuration, with the same result - the VPN works but the client PC's internet access is cut off and the same change in the routing table is made where there are two default routes.

slartibartfast · ‎11-22-2020

Solved by Fortinet support. I had an incorrect setting under Firewall Policy after enabling split tunneling in the VPN configuration.

sermeidis · ‎01-17-2021

Do you have any idea what that setting was? I m experiencing exactly the same...

Yurisk · ‎01-18-2021

@sermeidis - There is no "magic" config to enable/disable for split tunneling to work, just a matter of correct security policy and SSL VPN settings. Better chance of help if you describe your specific setup/situation.

Yuri Slobodyanyuk

No internet access connecting to IPsec VPN with split tunnel enabled

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website