Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
YanisSauve
New Contributor

Trouble configuring SSLVPN portal for split-tunnel

Hello everyone,

 

FWF-60C, 5.2.4 (I know, 4 is recommended) 3 networks directly attached:

Internet - WAN1 interface (DHCP)

LAN - internal interface (172.17.31.0/24)

Wifi - Wifi interface (172.17.30.0/24)

 

My SSL VPN IP range is 172.17.29.0/24.  Normal browsing from LAN works, Wifi is currently not used.

 

I can configure a portal for tunnel mode correctly.  The trouble I have is when I try to enable split-tunneling.  Whenever I choose the address object for my LAN, the GUI throws a "Entry not found" error.

 

When I go into the CLI, a ? after "set split-tunneling-routing-address" only shows address objects that are in the same network as my VPN IP range.

 

I have a Fortigate 800C at work that has a portal configured with my LAN address objects as Routing Addresses and functions correctly.

 

I tried to replicate the configuration from the 800C as close as I could on the 60C, and have tried everything I could think of.

 

Is this a limitation of the FWF-60C, or maybe a bug in the firmware? Can somebody help me?

 

Thanks

5 REPLIES 5
YanisSauve
New Contributor

Hello again,

 

From my experimenting, I think it might be a "requirement".  I'm not sure though.

 

I've looked again at my configuration at work, and determined that one of the address objects in the "Routing address" field contains the VPN IP range.  So that would explain why it works.

 

Now, on my FWF-60C, I've added an address object that describes the network 172.17.16.0/20 and used it as "routing address" and now split-tunneling works as it should.  I'm not fond of the fact I have to describe a little more addresses than I wanted to make it work, but hey... :)

 

Now, as long as you have an address object like this in the "routing address" field, all other address objets you add don't have to match with your VPN IP range, only one is needed from what I can observe.

 

Hope this help somebody.

gschmitt
Valued Contributor

YanisSauve wrote:

I can configure a portal for tunnel mode correctly.  The trouble I have is when I try to enable split-tunneling.  Whenever I choose the address object for my LAN, the GUI throws a "Entry not found" error.

Do you have any policies going from SSL.root to destiation "ALL"?

YanisSauve

No I don't.  I only have policies to permit traffic from the ssl.root interface to all my inside networks.

gschmitt
Valued Contributor

YanisSauve wrote:

No I don't.  I only have policies to permit traffic from the ssl.root interface to all my inside networks.

I don't mean the destiation interface, I mean the destination address

YanisSauve

Sorry, forgot to mention that the outgoing interface is set to any.

 

What I meant is that the destination address of the policy is an address object describing my internal scopes.

Labels
Top Kudoed Authors