IPsec Remote Access VPN - Force specific traffic through VPN

You have restarted the VPN connection...?
Please try a traceroute to your destination with and without VPN-Connection.

FQDN Host support is not available for IPsec Remote Access. Adding IP Host/Network in "Permitted Network Resources" is supported. But, the scx file has to be re-downloaded on the remote end. If you are using .pro file on the remote end, then the connection needs to be updated. In SSLVPN, only reconnection is needed

I downloaded a new SCX and OVPN files after making the change. For IPsec VPN, traceroute still goes out the internet.  By using SSL VPN, it goes through the tunnel.

The scenario is the customer has a hosted service that's only accessible from their office locations.  To give mobile users access, we need the traffic to first be routed through their IPsec VPN before egress to the internet.

I added the IP to the Permitted Network Resources for IPsec Remote Access and downloaded a new SCX file.  Traffic still goes out the internet instead of IPsec VPN.  I configured the SSL VPN and that works just fine.

Are you suggesting that this "should" work with IPsec VPN?

Yes, this should work with IPsec VPN. Do you have a split or full tunnel both in case of IPsec and SSLVPN ? You said the remote access users accessing the IP resources are mobile users. Which OS -- Android or iOS ?

Split Tunnel.  Mobile, sorry I meant to be those that are mobile in the field with Windows computers.  Then last entry in the permitted resources is the IP address to the external host.

Split Tunnel.  Mobile, sorry I meant to be those that are mobile in the field with Windows computers.  Then last entry in the permitted resources is the IP address to the external host.

This should have worked. In the "ipsec statusall" output from the firewall (you have to ssh to the firewall), when any remote user is connected, do you see your intended IP in child SA subnets ?