Description
This article describes how FortiGate is selecting a gateway for static routes via an IPsec VPN tunnel.
Scope
FortiGate.
Solution
In the earlier version, the static route when configured via IPsec VPN tunnel showed up as a connected route in the output of '# get router info routing-table details'.
C 192.168.8.0/24 is directly connected, VPN-1
From FortiOS 7.0, this behavior has changed and the static route configured via the IPsec VPN tunnel would have the gateway as the tunnel ID of the IPsec VPN tunnel.
VPN phase-1 configuration.
config vpn ipsec phase1-interface
edit "VPN-1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha256
set remote-gw 10.10.16.156
set psksecret ENC xx
next
end
Static route configurator.
config router static
edit 2
set dst 192.168.8.0 255.255.255.0
set device "VPN-1"
next
end
To confirm the gateway selected for the static route, run the following command.
diagnose vpn tunnel list
name=VPN-1 -NEW ver=1 serial=c
tun_id=10.10.16.156 dst_mtu=156@ dpd-link=on remote_location= weight=1
bound_if=39 lgwy=static/1 tun=intf/@ mode=auto/1 encap=none/52@ options[62@B]=npu frag-rfc run_state=@ accept_traffic=1 overlay_id=0
The above command would show tun_id that is selected as the gateway for the IPsec VPN routes configured.
get router info routing-table details | grep VPN-1
S 192.168.8.0/24 [10/0] via 10.16.16.156, VPN-1
Note:
In case the Remote Gateway IP has been changed, 'tun_id' will remain the same as before. But the tunnel will work as earlier.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.