When an Auvik server is hosted across an IPsec tunnel behind a remote site, local FortiGate uses the default tunnel (IPsec) interface to execute backup commands destined for the Auvik server behind the remote site.

When FTP traffic is sent over a site-to-site VPN, the FortiGate uses the egress interface's IP address as the source IP. If there is no IP assigned, FortiGate chooses the IP of the interface with the lowest index.

Standard Site-to-Site VPN only allows specific source and destination subnets. This will cause the tunnel IP address to be denied.

To fix this issue, assign an IP segment address /30 to the IPsec tunnel interface on both ends. Then, make sure to also allow the tunnel IP on the IPSec tunnel by creating or modifying the phase2-interface selectors.

1. Assign an IP address to the tunnel interface.

On the other side, the tunnel IP address 172.16.1.101/30 is configured for the Interface tunnel.

2. Create another phase 2 selector for the tunnel IPs. This must be done on both ends.

On the remote FortiGate, an inbound firewall policy needs to be created that allows the tunnel IP to reach the local host or local subnets on the remote FortiGate.

When creating a policy, remember to clone the reverse policy.

Once these configurations are processed, the configuration of the FortiGate can now be backed up to the Auvik server via FTP files transfer over a Site-to-Site VPN tunnel.