Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

ASA to Fortigate Specify Phase2 VPN source ip based to use destination gateway

I am new to fortigate.


I am considering replacing an ASA5506 with a Fortigate 60F, but I am unable to figure out how to create a more complex VPN phase 2 tunnel selector in the Fortigate.


Essentially, I have a tunnel between 2 locations.  Each location has an internal /24 using RFC1918 space.  1 location has a static ip (location A) and the other a dynamic ip (Location B).  Outside of these locations there are devices that can only be accessed using the IP address of the location with the static ip address.  Because of this, the ASA is currently configured to use the remote gateway from Location A (the one with the static IP) when devices from Location B attempt to connect to those specific destination IPs.  Further, there are some devices at Location B that ALWAYS need to use the remote gateway from LOCATION A.  Finally, devices at Location B need to be able to communicate with the devices at Location A with their RFC1918 address spaces.


I cannot figure out how to replicate this on the fortigate as the phase 2 selector seems to be limited to address groups.


ASAs are use access lists to specify the split tunnel selector and currently that looks like this (using descriptive names that name this post question):


access-list TUNNEL_SELECTOR extended deny ip object LOCATIONB_NETWORK object-group ALWAYS_LOCAL_EXIT_NEVERTUNNEL
access-list TUNNEL_SELECTOR extended permit ip object LOCATIONB_NETWORK object-group USELOCATIONA_GATEWAY_IPS
access-list TUNNEL_SELECTOR extended permit ip object-group LOCATIONA_IPS_ALWAYS_USE_REMOTE_GATEWAY object ANY

access-list TUNNEL_SELECTOR extended permit ip object LOCATIONB_NETWORK object LOCATIONA_NETWORK


I see on the fortigate that tunnels use firewall policies and in those firewall policies the more granular source and destination can be used.  However, this means that in the phase 2 selector I would basically need to set the remote address as the all object and then filter using vpn policy.  My current thinking is that by doing that, phase 2 will attempt to tunnel all traffic and then the firewall policy will simply cause the traffic to be dropped as opposed to simply excluding it from being tunneled.


Any insight or assistance on this type of configuration would be helpful.

New Contributor

So, I have discovered policy routing on the F60, but just like using the vpn policy, I am unsure where or how traffic might be dropped.


I am thinking I might get the same functionality if I specify the remote end as ANY, but then use policy routing to only send the traffic I want to go across the tunnel to the VPN interface.  I am just unsure what takes priority in routing decisions, the tunnel specifications or policy routing.

Top Kudoed Authors