FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 277176
Description This article describes information on how to configure a local device manually in the remote subnet of the IPsec tunnel and access it from the remote side.
Scope FortiGate, all firmware.

The purpose of this article is to explain the process in the scenario where it is wanted to configure devices with an IP in the remote subnet of the IPsec tunnel. 


For example:


Local subnet - 


Remote subnet- 


If one wants a few of the devices on the Local side to take an IP address from IP address (which is remote), then it is possible to follow the following procedure.  


Topology was used to create this article. ---(.1) (Remote-Fortigate) --- IPsec tunnel --- (Local-Fortigate) (.1)--- --- Host (which is required to be in remote subnet for instance. Printer).


Assuming the IPsec tunnel is already configured.


  • First, assign static IP to the host …. is used in this example and the gateway is set to (which is the IP of the port the device is connected with) of the local FortiGate.



  • Then configure a static route on the local FortiGate where the host is connected. The device should have Internet access now.



  • Now if this host wants to access something on Remote-fortigate or vice-versa need to configure proxy-arp on Local-fortigate for that.


config sys proxy-arp

    edit 1

        set ip

        set end-ip



 The last step is to configure a static route on Remote-fortigate with the interface set as tunnel_interface.



Both the FortiGates should be able to access the host now and vice-versa.