Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎07-31-2024 02:01 PM Edited on ‎12-30-2025 08:22 AM By Staff

Article Id 329638

Technical Tip: RADIUS server unreachable when hosted across the IPSec Tunnel

Description This article describes a solution for a RADIUS server unreachable when hosted across the IPSec Tunnel.
Scope FortiOS all versions.
Solution

When a RADIUS server needs to be reached from a FortiGate destined across the IPSec Tunnel, then FortiGate uses the default WAN IP address as a source. 
 
Since the WAN IP is not part of the Phase 2 selectors under VPN -> IPSec Tunnels -> Edit -> Phase 2 Selectors. Traffic is dropped before reaching the RADIUS server. 
 
In this case, an error is observed as shown in the photo below: 
 

Umer221_0-1722456313386.png

 

There are two methods to resolve this issue: 

 

Method 1: Assign an IP Address to the IPSec Tunnel.

 

  1. Follow the instructions in this article Technical Tip: Configure IP address on an IPSec tunnel interface to assign an IP address to the IPSec tunnel interface.
  2. Add the newly assigned IP address to the Phase 2 selectors on both sides of the tunnel under VPN -> IPSec Tunnels -> Edit -> Phase 2 Selectors.
  3. Update the firewall policies to include the new IP addresses under Policy & Objects -> Firewall Policy

  

Method 2: Configure Source IP for RADIUS Traffic.

 

  1. Follow the instructions in this article Technical Tip: How to integrate remote authentication server via Site to Site VPN to configure the source IP for RADIUS traffic.
  2. Set the source IP to an internal IP address on FortiGate. 

 

  • If choosing Method 1, ensure that the newly assigned IP address is added to the IPSec tunnel on both sides under Phase 2 selectors, and update the firewall policies accordingly. 
  • When the remote FortiGate is not the default gateway of the Remote RADIUS server, ensure the routing between the Remote RADIUS Server and the original FortiGate's source-ip exist. If you need to hide the new interconnect network from your Remote RADIUS server, source NAT may be necessary on the Firewall policy in the Remote FortiGate.

    [Remote RADIUS Server]===NETWORK===[Remote FortiGate]====IPSec=====[Original FortiGate]===[LAN]

Note:

If the RADIUS server continues to show as unreachable after applying above configuration, verify that the local firewall, such as Windows Firewall or antivirus software, is not obstructing UDP ports 1812 and 1813. Temporarily disable the endpoint firewall and any antivirus programs to test the connectivity between the devices.

 



 

 

991
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.