Monday, September 9, 2013

forticlient split tunnel fortigate

In this blog we will look at  how you could deploy split-tunneling. With split-tunneling, you allow only certain networks across the tunnel. This allow for the client to direct browsed via their normally ISP.

Only the networks defined in the split-tunnel are carried over the  vpn.

1st:  Here's the topolgy;





Okay so let's say you want the client to have access to  LAN and WIFI over their vpn connection?

Will that could be controlled using a split-include and matching the networks to be allowed. Take this configuration example for ipsec.



I highlighted the  split-include. What split-include represent is  address group that includes both the LAN and WIFI subnetworks





So now any ipsec client is issued only those subnets. Here's a snapshot of my  route table;



As you can see, the 2 remote subnets and the ipsec-virtual address is in my ipv4 route table.

For SSLvpn, we have the same method but  we configured this under our SSLvpn webportals configurations;



And in our route table we would have;





Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment