Skip to main content
KalleCloud
KalleCloud
New Member
August 20, 2025
Question

redirect internet traffic over IPSec tunnel for only one vm

  • August 20, 2025
  • 2 replies
  • 531 views

Hi, I have this situation:
an on-premise network that connects to the internet via the local Fortigate through the local ISP. I have a single VM that I need to force to use the tunnel from the on-premise Fortigate to a Fortigate in the cloud and connect to the internet using the VPN. I have tried all possible configurations, but via PBR, the VM continues to use the local ISP and does not use the VPN. I can't figure it out.

odg is the signle ip of the vm Screenshot 2025-08-20 130009.png

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
August 20, 2025

hi,

a PBR should do the trick but i think that on the IPsec tunnel interfaces selected as Outgoing interface you would need to assign IP addresse on both ends in order for the action Forward Traffic to work -https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-Firewall-Policy-Routes/ta-p/189996#:~:text=will%20be%20routed.-,Gateway%20Address,-%2D%20Type%20the%20IP 

then, of course firewall rules on local FGT and remote end to allow traffic.

 

L.E. i would also make an exempt of internal/RFC1918 subnets if any are needed for this VM to communicate with a higher position in the PBR table.

"jack of all trades, master of none"
    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 20, 2025

    The most common misunderstanding when someone tries using policy routes on FGT is both paths still need to have a proper route for the traffic to go out. In your case the default route needs to be in place for both local internet interface and over the VPN. The priority can be lower for one of them. That's likely the problem it didn't work. 

    Toshi 

      KalleCloud
      KalleCloudAuthor
      New Member
      August 21, 2025

      I did it but not working, i have also sd-wan in place with wan1 and modem4g, so it seems it takes precedence, but cannot add vpn ipsec interface as sd-wan member but my version 7.6.1 has a bug and I can't upgrade the firmware, which is absurd. At least the firmware should be able to be done without support for lab use.how can i do?

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      August 22, 2025

      I keep hearing VM FGT has limitations/restrictions without proper/valid license. Maybe that's one of them you can't upgrade.

      Toshi

      Terms & ConditionsAccessibility statement