Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kraus
New Contributor II

Split Tunnel for IPSec VPN on Mac OS

Hello Forti Communty,

 

I need help with getting split tunneling to work on Mac OS.

 

We have the following situation in our company:

We have a firewall cluster made out of two FG 100F version 6.4.12.

The IPSec VPN configuration with split tunneling we are currently using is working perfectly for all of our windows clients. Now we also have to support Mac OS but we ran into some troubles.

For our clients we use the free VPN client from Forti in version 7.2.0, the Mac and Windows config is also similar.

The VPN connection itself on the Mac is working great but due to the missing split tunnel feature it is only possible to connect to company internal resources when the connection is active. So for example google.com is not working because all traffic is sent to the virtual VPN gateway. As soon as VPN is disconnected all external resources are working again. Now I have the following questions:

 

Is it possible to use split tunneling on Mac, maybe via workaround?

Is there a different solution to this, for example to setup a secondary gateway? (I have no experience with Mac OS so I don´t know if something like that is even possible)

 

Please let me know if I forgot something important.

thank you in advance for your help.

 

best regards

 

1 Solution
rvijayaraj
Staff
Staff

Hi,

 

You can try editing the xml file from the forticlient settings. 

 

1) Download Forticlient configuration backup (XML file) from FortiClient settings.
2) Open the file using a text editor (e.g. NotePad++).
3) Search for the IPSec tunnel name.
4) The split tunnel addresses is added under the tag <remote_networks> under the required tunnel.

Each address is added in a <network> tag as per the below example(the split tunnel configuration is in bold text. Other irrelevant parts of the configuration are removed for simplicity):



<ipsecvpn>
            <options>
                …
                …
            </options>
            <connections>
            …
            …
                <connection>
                    <name>IPSEC_TUNNEL_1</name>
                    <type>manual</type>
                    <ike_settings>
                       …
                       …
                    </ike_settings>
                    <ipsec_settings>
            <remote_networks>
           <network>
    <addr>172.16.100.0</addr>
    <mask>255.255.255.0</mask>
          </network>
           <network>

    <addr>172.16.120.0</addr>
    <mask>255.255.255.240</mask>

           </network>     
            …
            …             
       </ipsec_settings>
         …
         …
     </connection>
      …
      …
   </connections>
</ipsecvpn>

NOTE.
FortiClient Requires 'Full Disk Acess' permissions in Mac OS Privacy Settings in order for the configuration restore feature to work.
Refer to FortiClient Mac OS release notes for more details.

 

Regards,

Roshan

View solution in original post

2 REPLIES 2
rvijayaraj
Staff
Staff

Hi,

 

You can try editing the xml file from the forticlient settings. 

 

1) Download Forticlient configuration backup (XML file) from FortiClient settings.
2) Open the file using a text editor (e.g. NotePad++).
3) Search for the IPSec tunnel name.
4) The split tunnel addresses is added under the tag <remote_networks> under the required tunnel.

Each address is added in a <network> tag as per the below example(the split tunnel configuration is in bold text. Other irrelevant parts of the configuration are removed for simplicity):



<ipsecvpn>
            <options>
                …
                …
            </options>
            <connections>
            …
            …
                <connection>
                    <name>IPSEC_TUNNEL_1</name>
                    <type>manual</type>
                    <ike_settings>
                       …
                       …
                    </ike_settings>
                    <ipsec_settings>
            <remote_networks>
           <network>
    <addr>172.16.100.0</addr>
    <mask>255.255.255.0</mask>
          </network>
           <network>

    <addr>172.16.120.0</addr>
    <mask>255.255.255.240</mask>

           </network>     
            …
            …             
       </ipsec_settings>
         …
         …
     </connection>
      …
      …
   </connections>
</ipsecvpn>

NOTE.
FortiClient Requires 'Full Disk Acess' permissions in Mac OS Privacy Settings in order for the configuration restore feature to work.
Refer to FortiClient Mac OS release notes for more details.

 

Regards,

Roshan

kraus
New Contributor II

Hello Roshan,

 

thank you for the quick reply. I already tried this approach some time ago and it did not work because I was not able to import the config into the VPN client. But thanks to your final note this issue is now resolved.

 

regards

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors