Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎04-28-2006 12:00 AM

Article Id 195586

Technical Tip: How to configure SSL-VPN split tunnel mode

Article
This article explains the routing setting of the SSL-VPN split tunnel mode. In this case, a connection loss or likely fail to connect to internal resources when dialing in with a client may be experienced.

Usefull documentation: Cookbook Sample Configuration for SSLVPN

Split tunneling is used in case it is required for the client to access the tunnel only for accessing internal resources, but not for other internet related traffic.
If the private internal network IP range is not on the same SSL-VPN Tunnel IP Range, an additional route on the client PC will be required.
The default route (to 0.0.0.0/0) is valid for any traffic unless a better matching route is specified (“Longest Prefix Match”).

See the example below:
Private host on FGT internal interface: 10.105.1.31
SSL-VPN IP Range : 20.30.40.1 - 20.30.40.5

C:\>ipconfig /all
Windows IP Configuration
        Host Name . . . . . . . . . . . . : fortitest
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
        Physical Address. . . . . . . . . : 00-0C-29-92-F5-96
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 172.31.224.43
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 172.31.224.254
        DNS Servers . . . . . . . . . . . : 10.105.1.254
Ethernet adapter Local Area Connection 2:
        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Fortinet virtual adapter
        Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
PPP adapter fortissl:
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 20.30.40.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 92 f5 96 ...... AMD PCNET Family PCI Ethernet Adapter - Fortidrv Miniport
0x10004 ...00 09 0f fe 00 01 ...... Fortinet virtual adapter - Packet Scheduler Miniport
0x160005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   172.31.224.254   172.31.224.43       30
         20.0.0.0        255.0.0.0       20.30.40.1      20.30.40.1       1
       20.30.40.1  255.255.255.255        127.0.0.1       127.0.0.1       50
   20.255.255.255  255.255.255.255       20.30.40.1      20.30.40.1       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     172.31.224.0    255.255.255.0    172.31.224.43   172.31.224.43       30
    172.31.224.43  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.31.226.141  255.255.255.255       20.30.40.1      20.30.40.1       1
   172.31.226.141  255.255.255.255   172.31.224.254   172.31.224.43       1
   172.31.255.255  255.255.255.255    172.31.224.43   172.31.224.43       30
        224.0.0.0        240.0.0.0       20.30.40.1      20.30.40.1       50
        224.0.0.0        240.0.0.0    172.31.224.43   172.31.224.43       30
  255.255.255.255  255.255.255.255       20.30.40.1           10004       1
  255.255.255.255  255.255.255.255    172.31.224.43   172.31.224.43       1
Default Gateway:    172.31.224.254
===========================================================================
Persistent Routes:
  None
C:\>ping 10.105.1.31
Pinging 10.105.1.31 with 32 bytes of data:
Request timed out.
Ping statistics for 10.105.1.31:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>

It is possible to manually add the route for testing:

C:\>route add 10.105.1.0 mask 255.255.255.0 20.30.40.1 metric 1
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 92 f5 96 ...... AMD PCNET Family PCI Ethernet Adapter - Fortidrv Miniport
0x10004 ...00 09 0f fe 00 01 ...... Fortinet virtual adapter - Packet Scheduler Miniport
0x160005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   172.31.224.254   172.31.224.43       30
       10.105.1.0    255.255.255.0       20.30.40.1      20.30.40.1       1
         20.0.0.0        255.0.0.0       20.30.40.1      20.30.40.1       1
       20.30.40.1  255.255.255.255        127.0.0.1       127.0.0.1       50
   20.255.255.255  255.255.255.255       20.30.40.1      20.30.40.1       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     172.31.224.0    255.255.255.0    172.31.224.43   172.31.224.43       30
    172.31.224.43  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.31.226.141  255.255.255.255       20.30.40.1      20.30.40.1       1
   172.31.226.141  255.255.255.255   172.31.224.254   172.31.224.43       1
   172.31.255.255  255.255.255.255    172.31.224.43   172.31.224.43       30
        224.0.0.0        240.0.0.0       20.30.40.1      20.30.40.1       50
        224.0.0.0        240.0.0.0    172.31.224.43   172.31.224.43       30
  255.255.255.255  255.255.255.255       20.30.40.1           10004       1
  255.255.255.255  255.255.255.255    172.31.224.43   172.31.224.43       1
Default Gateway:    172.31.224.254
===========================================================================
Persistent Routes:
  None
C:\>ping 10.105.1.31
Pinging 10.105.1.31 with 32 bytes of data:
Reply from 10.105.1.31: bytes=32 time=8ms TTL=127
Reply from 10.105.1.31: bytes=32 time=3ms TTL=127
Ping statistics for 10.105.1.31:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 8ms, Average = 5ms

C:\>

This route can be automatically set by using the “Routing Address” in the GUI.
In this example it would be to add a firewall address object that could look like:
#config firewall address
    edit "internal_subnet"
        set subnet 10.105.1.0 255.255.255.0
    next
end
and add it to the Routing address setting of the tunnel:



The route should now be set automatically. This will now be available on the client with the route print command.

In the above example the DNS Server was also set in the same network as the host to be reached. In case of problems with DNS problems while the VPN tunnel is connected, the route might be also missing.


Labels:
15937
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.