I've set up a Site to Site IPsec tunnel between our Fortigate 200e's here and a pfsense box. Pretty soon I will be setting up another IPsec tunnel between our location and another location that is currently using a Ubiquity Gateway. My boss wants me to make sure I have split tunneling up and I don't see that as an option for site to site IPSec.
I see documentation from Fortinet allowing split tunneling for IPSec remote access VPN.
I see documentation from Fortinet allowing split tunneling for SSL VPN.
But I do not see as an option for split tunneling to be allowed with site to site IPsec.
He wants to make sure that the only traffic we have routing from our remote location through our local location is internal resources from our network. He wants all public web surfing to happen on the local gateway, their Ubiquity Gateway.
Can this be done?
Thank you,
Corey Piazza
Split tunneling is for client VPN. Site to site is different. Your routing and encryption domains (remote / local addresses defined in phase 2) should help define how to reach traffic across each VPN tunnel.
HTH
d
Generally IPSec site-to-site VPN is "split" by nature. Only matching traffic by Phase2 traffic selectors would go into the tunnel. I think that's why you can't find articles for "split-tunnel". Your boss probably meant Internet-bound traffic shouldn't go into the tunnel but should use local Internet.
If you specify, say "192.168.0.0/24 <-> 192.168.1.0/24" in the selector, nothing else would go into the tunnel, even if we set a static route for a different subnet toward the tunnel interface (they would go nowhere though). You just need to make sure you have a default route toward the ISP GW or wherever you want to route it to. Then of course you need a policy for that too.
@Toshi:
Which traffic is flowing across an IPsec tunnel is determined by routing and policies, not the QM selectors in phase2. QM selectors are only used at tunnel build-up: which kind of traffic is allowed to initiate a tunnel, and do both sides agree on the address ranges involved (during negotiations). In practice, you would not point a route for traffic to a tunnel which you do not intend to traverse it. Thus, you would create the 'tunnel' policies such that only the intended traffic is allowed.
@OP: actually, you don't have to do anything special to achieve what your boss is asking for. On the contrary, guiding all traffic across a tunnel is tricky and very rarely used (IMHO). Be sure to 1- use specific QM selectors in phase2 (not the wildcard '0.0.0.0/0') and 2- use address objects in the tunnel policy to enforce your intention. And lastly, even the mandatory route pointing to the tunnel IF is necessary and should only feature the desired remote network (your local subnet). The default route still has to point to the FGT's WAN interface, as usual.
Ede:
As always I appreciate your corrections and comments.
Toshi
@Toshi: and I count on you to set me straight if it needs be!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1789 | |
1120 | |
768 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.