FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
If this is not an option, a routable IP address must be assigned to the tunnel interface itself as follows.
FortiGate A:
config system interface edit "FTP-10.9.15.176" set vdom "root" set ip 172.16.10.1 255.255.255.255 set allowaccess ping https http set type tunnel set remote-ip 172.16.10.2 255.255.255.0 set snmp-index 26 set interface "port2" next end
FortiGate B:
config system interface edit "172.25.183.86" set vdom "root" set ip 172.16.10.2 255.255.255.255 set allowaccess ping https http set type tunnel set remote-ip 172.16.10.1 255.255.255.0 set snmp-index 2 set interface "port2" next end
If no IP address has been assigned, self-originated SFTP/TFTP traffic will use the source IP from the interface with the lowest index ID. This is often the IP address of the mgmt, wan1, or dmz interface, depending on the platform. See the article Technical Tip: Self-originating traffic over IPSec VPN (For example, ping).
The sniffer output shows as follows before assigning the IP address to a tunnel interface:
diagnose sniffer packet any 'host 192.168.30.2' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 192.168.30.2] 2025-04-11 15:29:30.623266 172.25.183.86 out 10.9.31.176.9098 -> 192.168.30.2.21: syn 64787980 2025-04-11 15:29:31.701918 172.25.183.86 out 10.9.31.176.9098 -> 192.168.30.2.21: syn 64787980
After assigning an IP address to the tunnel interface:
2025-04-11 15:43:53.835630 172.25.183.86 out 172.16.10.2.15220 -> 192.168.30.2.21 2025-04-11 15:43:53.844995 172.25.183.86 in 192.168.30.2.21 -> 172.16.10.2.15220
