Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Virusxd512
New Contributor

Created on ‎01-27-2020 12:51 AM

How to route specific IP to specific protocol on VPN Tunnel

Hi,

I need to route a whole subnet to specific IP address Via VPN tunnel.

as an example i have subnet of 10.0.0.1/24 and i want to route All RDP traffic to 192.168.20.21 through VPN tunnel.

 (I already have a stable VPN connection between both ends)

 

Thanks!.

5799
0 Kudos
5 REPLIES 5
ShawnZA
Contributor II

Created on ‎01-27-2020 01:13 AM

Is the 10.0.0.0/24 your local subnet?

And is there an existing VPN tunnel or do you also need to create the VPN tunnel?

4573
0 Kudos
Virusxd512
New Contributor
In response to ShawnZA

Created on ‎01-28-2020 12:56 AM

@ShawnZA Hi,

I already have a stable VPN connection.

 

Thanks!

4573
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Virusxd512

Created on ‎01-28-2020 01:56 AM

If your VPN is a site-to-site VPN (IPsec of course), the tunnel name already is a virtual interface to which you can route.

Create a new static route (Network>Static Routes), target network=192.168.20.0/24 (or even smaller like 192.168.20.21/32), interface=tunnel_name, gateway=(leave empty).

 

This particular setup works for IPsec VPNs, you don't have to specify a gateway address.

Then you need an outbound policy from LAN to tunnel, and of course the same on the other side.

 

Note that you cannot route just RDP traffic to the tunnel, and other traffic elsewhere. Wouldn't make much sense anyway.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4573
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎01-28-2020 06:43 AM

Could this not be done with a policy route?

 

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
policy route.png
Preview file
23 KB
4573
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to rwpatterson

Created on ‎01-28-2020 02:25 PM

@Bob,

 

if you can determine the route just by looking at the destination address, use a regular route. If you need other information, like source address or interface, use a Policy Based Route.

I personally don't like PBRs much although this is better supported in FOS v6 than before (CLI only). For instance, there is no indication in the Routing Monitor that a PBR is in place. Might cost a lot of time until you realize if you haven't set it up yourself.

 

So, yes, a PBR would do the job as it is a 'super set' of regular routing.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4573
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.