This article describes how to fix issues with IPsec tunnels configured with an IPpool as a local gateway.

FortiOS 6.4.9 and FortiOS 7.0.1.

Updating the firewall to FortiOS 6.4.9 or 7.0.1 might create issues with IPsec tunnels that use an IPpool as a local gateway. This is related to the fact that, since FortiOS 6.4.9 and 7.0.1, IPpools are not considered local addresses anymore.

For example, it might be seen that a configuration like the one below might not work anymore and the tunnel will not come up.

# config firewall ippool

 edit "192.0.1.1"

 show

config firewall ippool

   edit "192.0.1.1"

        set type one-to-one

        set startip 192.0.1.1

        set endip 192.0.1.1

    next

end

 # config vpn ipsec phase1-interface

  edit My_tunnel

  set local-gw 192.0.1.1

The issue can be solved by configuring the IPpool address as secondary IP on the interface.

Assuming that the tunnel is terminated on the wan1 interface:

 # show system interface wan1

   config system interface

     edit "wan1"     

        set secondary-IP enable

        config secondaryip

            edit 1

                set ip 192.0.1.1 255.255.255.255

            next

        end