- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN is not doing split tunnel
Hello,
How is it possible that I enable this:
Enabled Based on Policy Destination
And I still get the IP of the office and not my home WIFI?
gameie_Primary # config vdom
gameie_Primary (vdom) # edit root
current vf=root:0
gameie_Primary (root) # config vpn ssl web portal
gameie_Primary (portal) # edit "vpn-rnd"
gameie_Primary (vpn-rnd) # show
config vpn ssl web portal
edit "vpn-rnd"
set tunnel-mode enable
set ip-pools "vpn-rnd-new"
next
end
gameie_Primary (vpn-rnd) # show full-configuration
config vpn ssl web portal
edit "vpn-rnd"
set tunnel-mode enable
set ipv6-tunnel-mode disable
set web-mode disable
set allow-user-access web ftp smb sftp telnet ssh vnc rdp ping
set limit-user-logins disable
set forticlient-download enable
set ip-mode range
set auto-connect disable
set keep-alive disable
set save-password disable
set ip-pools "vpn-rnd-new"
set split-tunneling enable
set split-tunneling-routing-negate disable
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set dns-suffix ''
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set dhcp-ra-giaddr 0.0.0.0
set client-src-range disable
set host-check none
set mac-addr-check disable
set os-check disable
set forticlient-download-method direct
set customize-forticlient-download-url disable
next
end
gameie_Primary (vpn-rnd) #
Thanks
- Labels:
-
FortiClient
-
Routing
-
SSL-VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using the "Enabled Based on Policy Destination" then your policy ID 2 has to have your specific subnets on your lan defined in the destination section. If you have all, like your image shows, then the split tunnel will match on every IP and not allow internet access through the end user's local network https://100001.onl/ .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how can I solve it? I want everything to pass through the end user's local network except the interfaces of Fortigate.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi captainit,
perhaps you may have a look at this: Enabling split tunnel feature for SSL-VPN - Fortinet Community
"It's not over 'till it's over"
Fortigate: 500E
ForticlientEMS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In sslvpn to lan policy specify fortigate lan interface subnet as destination so only fortigate lab subnet traffic will route over ssl vpn.