FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff
Article Id 387524
Description This article describes how to use perform configuration backup over an IPsec tunnel with the 'execute backup config' command.
Scope FortiGate.
Solution

Configure the IPsec site-to-site tunnel as described in Site-to-site VPN.


In FortiOS v7.4 and later, a local source IP address can be configured using 'preferred-source' in the routing configuration. See the article Technical Tip: Custom source IP for locally originated TFTP/FTP/SFTP traffic.

If this is not an option, a routable IP address must be assigned to the tunnel interface itself as follows.

FortiGate A:

 

config system interface
    edit "FTP-10.9.15.176"
        set vdom "root"
        set ip 172.16.10.1 255.255.255.255
        set allowaccess ping https http
        set type tunnel
        set remote-ip 172.16.10.2 255.255.255.0
        set snmp-index 26
        set interface "port2"
    next
end

 

FortiGate B:

 

config system interface
    edit "172.25.183.86"
        set vdom "root"
        set ip 172.16.10.2 255.255.255.255
        set allowaccess ping https http
        set type tunnel
        set remote-ip 172.16.10.1 255.255.255.0
        set snmp-index 2
        set interface "port2"
    next
end

 

  • If no IP address has been assigned, self-originated SFTP/TFTP traffic will use the source IP from the interface with the lowest index ID. This is often the IP address of the mgmt, wan1, or dmz interface, depending on the platform. See the article Technical Tip: Self-originating traffic over IPSec VPN (For example, ping).
  • The sniffer output shows as follows before assigning the IP address to a tunnel interface:

 

diagnose sniffer packet any 'host 192.168.30.2' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.30.2]
2025-04-11 15:29:30.623266 172.25.183.86 out 10.9.31.176.9098 -> 192.168.30.2.21: syn 64787980
2025-04-11 15:29:31.701918 172.25.183.86 out 10.9.31.176.9098 -> 192.168.30.2.21: syn 64787980

  • After assigning an IP address to the tunnel interface:

 

2025-04-11 15:43:53.835630 172.25.183.86 out 172.16.10.2.15220 -> 192.168.30.2.21
2025-04-11 15:43:53.844995 172.25.183.86 in 192.168.30.2.21 -> 172.16.10.2.15220