Hello,

I set up IPSec connections for roaming clients with split-tunneling. Although the connections succeed phase 2 and R_U_THERE packets do cross the tunnel, there is no packet flow between client and the Fortigate. Neither one can ping the other through the tunnel.

Another fact which I do not understand. Although split-tunnel and mode config is selected, the Forticlient 7.2.4 alters the default route on the Windows 10 / 11 clients to the tunnel.

The dial-in client´s LAN network address is 192.168.0.0/24. The HQ network is 192.168.0.0/16. This will also lead to routing problems. Is it possible to map the HQ IP-Address [192.168.0.0/16] within the tunnel to another network (e.g. 192.0.0.0/16) ?

For testing purposes we altered the accessible networks into another network [10.0.0.0/8] which is also connected to the Fortigate. But that did not lead to data flow through the tunnel.

gateway
name: 'EMS_Test_0'
local-gateway: 123.45.678.123:4500 (static)
remote-gateway: 123.46.78.123:62890 (dynamic)
dpd-link: on
mode: ike-v1
interface: 'port10' (16) vrf:0
rx packets: 177 bytes: 29012 errors: 259
tx packets: 1051 bytes: 3758 errors: 0
dpd: on-idle/negotiated idle: 30000ms retry: 3 count: 0
nat traversal mode: silent RFC 3947
selectors
name: 'EMS_Test'
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:198.18.27.2-198.18.27.2:0
SA
lifetime/rekey: 43200/43179
mtu: 1422
tx-esp-seq: 41a
replay: enabled
qat: 0
inbound
spi: bcb1176a
enc: aes-cb 88cffeadf2cf9ef785047903aedada1181b1a735f835e8b1b02960692d0ec209
auth: sha256 ad1ac6fb0b720e5c11fb63d2801e026ccd3dd48c4efcd450409c0d08c39fbf96
outbound
spi: a81eae67
enc: aes-cb 675dcf068706ce66989f3da5455135798d850abc69c0da8648018800288adf70
auth: sha256 41d2b1783f3073c0e9ca2611b343049460176b9b6c06e48ae3a9416d65bcc261
NPU acceleration: encryption(outbound) decryption(inbound)

best regards

Martin