Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
captainit
New Contributor II

SSL VPN is not doing split tunnel

Hello,
How is it possible that I enable this:
Enabled Based on Policy Destination
And I still get the IP of the office and not my home WIFI?
gameie_Primary # config vdom
gameie_Primary (vdom) # edit root
current vf=root:0
gameie_Primary (root) # config vpn ssl web portal
gameie_Primary (portal) # edit "vpn-rnd"
gameie_Primary (vpn-rnd) # show
config vpn ssl web portal
edit "vpn-rnd"
set tunnel-mode enable
set ip-pools "vpn-rnd-new"
next
end
gameie_Primary (vpn-rnd) # show full-configuration
config vpn ssl web portal
edit "vpn-rnd"
set tunnel-mode enable
set ipv6-tunnel-mode disable
set web-mode disable
set allow-user-access web ftp smb sftp telnet ssh vnc rdp ping
set limit-user-logins disable
set forticlient-download enable
set ip-mode range
set auto-connect disable
set keep-alive disable
set save-password disable
set ip-pools "vpn-rnd-new"
set split-tunneling enable
set split-tunneling-routing-negate disable
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set dns-suffix ''
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set dhcp-ra-giaddr 0.0.0.0
set client-src-range disable
set host-check none
set mac-addr-check disable
set os-check disable
set forticlient-download-method direct
set customize-forticlient-download-url disable
next
end
gameie_Primary (vpn-rnd) #
Thanks

4 REPLIES 4
honeqwo2
New Contributor

If you are using the "Enabled Based on Policy Destination" then your policy ID 2 has to have your specific subnets on your lan defined in the destination section. If you have all, like your image shows, then the split tunnel will match on every IP and not allow internet access through the end user's local network https://100001.onl/  .

captainit
New Contributor II

So how can I solve it? I want everything to pass through the end user's local network except the interfaces of Fortigate.

Thanks

brandjp
New Contributor II

Hi captainit,

perhaps you may have a look at this: Enabling split tunnel feature for SSL-VPN - Fortinet Community

"It's not over 'till it's over"

Fortigate: 500E

ForticlientEMS

"It's not over 'till it's over" Fortigate: 500E ForticlientEMS
tpatel

In sslvpn to lan policy specify fortigate lan interface subnet as destination so only fortigate lab subnet traffic will route over ssl vpn.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors