Topic Thread

Expand all | Collapse all

How can I set some forticlient users to use split tunnel and the others not to use?

  • 1.  How can I set some forticlient users to use split tunnel and the others not to use?

    Posted Oct 08, 2017 04:49 PM

    I've successfully configured remote vpn on my fortigate for my forticlient users. Then I get  a new requirement, some forticlient users want only Intranet to go through VPN, I think I should configure split tunnel for them. But the others want all communications to go through VPN. I can't find how to configure for this case from fortigate configuration guide. Could anyone help  me? Thanks.



  • 2.  RE: How can I set some forticlient users to use split tunnel and the others not to use?

    Posted Oct 09, 2017 01:05 AM

    To configure split tunneling you need to indicate what networks are from you intranet. For that, you can create an object like I called ip-intranet.

    config vpn ipsec phase1-interface
    edit "group1"
    set type dynamic
    set interface "vpninterface"
    set mode aggressive
    set peertype one
    set mode-cfg enable
    set ipv4-dns-server1 x.x.x.x
    set ipv4-dns-server2 x.x.x.y
    set proposal aes128-sha1 aes128-sha256
    set localid "group1"
    set localid-type keyid
    set dhgrp 5
    set wizard-type dialup-forticlient
    set xauthtype auto
    set authusrgrp "GroupRadius"
    set peerid "group1"
    set assign-ip-from usrgrp
    set ipv4-split-include "ip-intranet"
    set domain "internal.domain"
    set include-local-lan enable
    set save-password enable
    set client-keep-alive enable
    set psksecret pskpassword
    set keepalive 60
    next