Description
This article describes when the client on the left (private IP 192.168.10.10) needs to access the host on the right (IP 192.168.20.20) via IPSEC tunnel configured on the FortiGate.
Only traffic to the 192.168.20.20 will be routed to the IPSEC tunnel while all other Internet traffic goes via the local WAN1. SNAT is performed by FortiGate-A.

set snat-route-change disable
Before the IPSEC tunnel is up, FGT-A tries to reach the host 192.168.20.20 via the default route WAN1.
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
FG81EPTK19-----7 (root) # diagnose sys session list
session info: proto=17 proto_state=00 duration=24 expire=155 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/255
state=redir log local may_dirty npu nlb ha_replicate f00 inherit_sockport
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->5/5->36 gwy=192.168.0.1/0.0.0.0
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.0.100:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060- >192.168.0.100:65476(192.168.10.10:5060) (Before IPSEC is up, WAN IP 192.168.0.100 is used)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000168b tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av
total session 1
Scope
FortiGate.
Solution
When 'snat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions; so, the existing SNAT sessions can use the new best route which in this case is the IPSEC interface. To enable 'snat-route-change', run the following commands in the CLI:
config system global
set snat-route-change enable
end
After the IPSEC tunnel is up, there is a more-specific route to 192.168.20.20 via IPSEC and FGT-A can automatically correct its existing SNAT session to use the new routing.
FG81EPTK19-----7 (root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
S 192.168.0.0/16 [15/0] via 200.10.10.100, p1-tunnel
FG81EPTK19-----7 (root) # diagnose sys session lis
session info: proto=17 proto_state=01 duration=4 expire=175 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=7
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=p1-kltac/ helper=20 vlan_cos=0/255
state=redir local may_dirty npu npd nlb ha_replicate inherit_sockport
statistic(bytes/packets/allow_err): org=1924/3/1 reply=1796/3/1 tuples=3
tx speed(Bps/kbps): 434/3 rx speed(Bps/kbps): 405/3
orgin->sink: org pre->post, reply pre->post dev=36->37/37->36 gwy=210.19.8.106/192.168.10.10
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.50.50:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060->192.168.50.50:65476(192.168.10.10:5060) (Now the SNAT session can automatically update to use the IPSEC IP for SNAT)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=0000191f tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x3100000
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av offload-denied helper
total session 1
Related article:
Troubleshooting Tip: Routing Changes and SNAT (snat-route-change)