In this scenario, an IPsec dial-up tunnel is established but cannot reach any internal resources. Traffic is denied by policy 0 and when checking policy match, the error 'No route exists from source address' is observed.

Run the following commands to get the output shown below:

diagnose debug flow filter addr x.x.x.x---Here x.x.x.x is the IP got on the Forticlient 

diagnose debug flow trace start 999

diagnose debug enable

Check the document Technical Tip: Firewall policy lookups to get the following output:

Checking the routing table for the source address and there is a routing entry accordingly.

In this scenario, the subnet is used for IPsec Dial-up VPN. Checking the tunnel interface IP, the assigned IP subnet is different than the Dial-up client address range.

Changing the tunnel IP to 0.0.0.0/0 and checking the policy match again to confirm the policy is matched.

Verifying traffic flow again and confirming that it is allowed by the correct policy.