Skip to main content
fortesguy
fortesguy
New Member
January 31, 2026
Solved

Fortigate can't access internet router over IPSEC

  • January 31, 2026
  • 3 replies
  • 267 views

Hello all,

I need your help with problem.
I have central location and few branch locations.
All branch locations have internet routed via IPSEC vpn established with central location.

The problem is that devices at branch locations have internet acces while Fortigate itself doesn't (for license updates etc).

 

So what I'm missing here.  Branch office IPSEC phase 2 remote subnet is set to all (so devices can access internet). Ping and traceroute from branch office fortigate doesn't return anything, firewall isn't blocking (or at least logs doesn't show anything) anything related to fortigate directly.
Central location is fortigate 70G while branch locations have 40F if it does matter.

It is probably really simple solution but couldn't find solution yet :)


Thanks!

Best answer by fortesguy

Hello,
I did some more diging before going back to this topic and actually found simple solution if anyone will have similar problem.

All I had to do is to set fortiguard gateway and dns (same IP as fortigate itself)

config system fortiguard     set source-ip 172.21.4.1 end  config system dns     set source-ip 172.21.4.1 end

 

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
January 31, 2026

hi,

try setting source-ip / source-interface for the traffic ( Local out routing ). if the ipsec tunnel doesnt have assigned a ip on it that might be the issue.

"jack of all trades, master of none"
hpenmetsa
Staff
hpenmetsa
Staff
February 1, 2026

Hi, please run the command below simultaneously on both the Branch and the central FGT, and try pinging the destination to check the traffic flow, where the traffic is dropping.

diag debug reset
diagnose debug flow filter addr <Destination IP>
diagnose debug flow filter proto 1
diagnose debug flow show iprope enable
diagnose debug flow show fun enable
diagnose debug flow trace start 1000
diagnose debug enable


Thanks

fortesguy
fortesguyAuthorAnswer
New Member
February 3, 2026

Hello,
I did some more diging before going back to this topic and actually found simple solution if anyone will have similar problem.

All I had to do is to set fortiguard gateway and dns (same IP as fortigate itself)

config system fortiguard     set source-ip 172.21.4.1 end  config system dns     set source-ip 172.21.4.1 end

 

Terms & ConditionsAccessibility statement