Visitor III

Solved

VPN Site to Site

Forum|Forum|9 months ago
September 16, 2025
2 replies
544 views

I build site to site vpn connection from fortigate in HQ and sophos xg in branch.

In the tunnel interface in fortigate listen on port8 with ip address xx.xx.xx.230

Screenshot 2025-09-16 071332.png

The vpn connection is established, the branch and hq can communicate but if i traceroute from branch to hq i feel strange why the traffic passing thru another ip in fortigate xx.xx.xx.246 and not to xx.xx.xx.230?

Here my tracert result

Tracing route to 10.7.208.52 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.108.150.1
2 22 ms 16 ms 20 ms xx.xx.xx.246
3 29 ms 20 ms 20 ms 10.7.101.2
4 21 ms 23 ms 18 ms 10.7.208.52

FortiGate

Best answer by princes

Hello HS08,

It might be the interface index selected instead of tunnel interface.

Kindly check the below for reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-tracert-traceroute-behavior-over-IPsec-VPN-tunnel/ta-p/192200

Regards,

Prince

Stephen_G

Moderator

Hello HS08,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen_G - Fortinet Community Team

princesAnswer

Staff

Hello HS08,

It might be the interface index selected instead of tunnel interface.

Kindly check the below for reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-tracert-traceroute-behavior-over-IPsec-VPN-tunnel/ta-p/192200

Regards,

Prince

HS08Author

Visitor III

make sense, when i assign ip address to the tunnel interface now the tracert showing right path.

Toshi_Esumi

SuperUser

Traceroute's host IPs in the output is just host IPs. Not necessarily ingress or egress interface IPs. They're just to "identify" the hosts.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded