Reply to post

Helpful ReplyHot!IPSEC VPN Routing

New Member
  • Total Posts : 4
  • Reward points: 0
  • Joined: 2019/05/19 02:54:56
  • Status: offline
2019/06/16 01:46:37 (permalink)


Good Day
I was wondering if anybody can help me as I am new to fortigate
I have two fortigates, one at hq and one at branch
HQ public ip 41.138.x.x
Local Lan :
Remote site public ip 86.179.x.x
Local Lan :
VLAN20 :
I have setup an IPSEC vpn between the two site with phase 2 selectors of Now I need to route all internet traffic from vlan 20 over the VPN tunnel so that it looks like vlan20 is coming from my HQ's public IP. 
Can someone perhaps guide me how to setup static routes and which policies i should create to route all traffic from vlan20 over the tunnel. The local lan on the remote gate does not need to go through tunnel
Many thanks in advance
Gold Member
  • Total Posts : 193
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: IPSEC VPN Routing 2019/06/16 05:45:22 (permalink)
1) what routing protocol you have (static, dynamic)?
2) if static, you can add a default gateway pointing to the VPN interface (I assume you have route based IPsec VPN)
3) make sure firewall policies are in place and you don't do NAT
Do you have any plan what to do with the traffic when VPN is down?
Expert Member
  • Total Posts : 6164
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: online
Re: IPSEC VPN Routing 2019/06/16 10:17:58 (permalink) ☄ Helpfulby Cornelis 2019/06/18 09:53:04
there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.
And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.
When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).
Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.
As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.


" Kernel panic: Aiee, killing interrupt handler!"
New Member
  • Total Posts : 4
  • Reward points: 0
  • Joined: 2019/05/19 02:54:56
  • Status: offline
Re: IPSEC VPN Routing 2019/06/18 05:03:43 (permalink)
Apologies my local lan is and not on the hq side, that was a typo. 
Quick Reply: (Open Full Version)
  Enter the random characters shown
Submit Post
Jump to:
© 2020 APG vNext Commercial Version 5.5