Skip to main content
anoushiravan
Staff
anoushiravan
Staff
April 7, 2026

Technical Tip: How to remove the old assigned IP address in routing table on IPsec client side once the tunnel is flushed or renegotiated

  • April 7, 2026
  • 0 replies
  • 240 views
Description This article describes how to remove the old assigned IP address in the routing table on the IPsec client side once the tunnel is flushed or renegotiated.
Scope FortiGate.
Solution

In a dial-up IPsec tunnel, if 'ip-delay-interval' is enabled in phase1 on the IPsec dial-up server side, when the IPsec client is flushed, or the IPsec tunnel is renegotiated, the client side receives a new IP address different from the previously used one, but the old assigned IP remains in the routing table, and it is not removed:

 

config vpn ipsec phase1-interface

    edit <tunnel name>

        set ip-delay-interval <value in seconds>

end

 

  • The following is a configuration example on the IPsec server side:

 

config vpn ipsec phase1-interface
    edit IPSEC-VPN
        set type dynamic
        set interface "wan"
        set ike-version 2
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256
        set dhgrp 2
        set ipv4-start-ip 172.20.0.2
        set ipv4-end-ip 172.20.15.250
        set ip-delay-interval 300 <-----
        set psksecret *******
    next
end

 

config vpn ipsec phase2-interface
    edit "IPSEC-VPN"
        set phase1name "IPSEC-VPN"
        set proposal aes256gcm

    next
end

 

  • The following is a config example on the IPsec client side:

 

config vpn ipsec phase1-interface
    edit "IPSEC-Client"
        set interface "wan"
        set ike-version 2
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256
        set dhgrp 2
        set remote-gw 10.65.5.2
        set psksecret *****
    next
end


config vpn ipsec phase2-interface
    edit "IPSEC-Client"
        set phase1name "IPSEC-Client"
        set proposal aes256gcm
    next
end

 

  • Here is the result in the routing table after the IPsec tunnel IPSEC-Client was flushed twice, there are three static routes associated with the IPsec tunnel:

  

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       * - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.15.2.6, wan, [1/0]
C 10.5.5.0/24 is directly connected, wan
S 172.20.0.2/32 [15/0] via IPSEC-Client tunnel 10.65.5.2, [1/0] <-----
S 172.20.0.3/32 [15/0] via IPSEC-Client tunnel 10.65.5.2, [1/0] <-----
C 172.20.0.4/32 is directly connected, IPSEC-Client <-----

 

To resolve this issue, enable net-device in phase1 on the IPsec dial-up client side:

 

config vpn ipsec phase1-interface
    edit IPSEC-VPN
        set net-device enable

    next
end
    Terms & ConditionsAccessibility statement