Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Access remote network between 2 IPsec tunnel


2023-04-02 11_50_08-Schema.jpg ‎- Fotos.jpg




I drew something to be more understandable.


Basically, I would like from the Mikrotik LAN, access to the servers connected at the "Fortigate Server", passing through the "Fortigate Main" IPsec tunnel.

I don´t know if it's possible, that's why I am asking if you know about it?


I tried in the "Main Fortigate" to accept traffic between the IPsec tunnel Mikrotik and the IPsec tunnel Fortigate Servers in both directions.

In the "Fortigate Server", I added the Mikrotik subnet in both rules " IPsec Main Fortigate"  -> "Lan Servers" and "Lan Servers" -> "IPsec Main Fortigate"

I put the route in the "Fortigate Server" toward the Subnet Mikrotik through the tunnel.

I put the firewall rule in the Mikrotik toward the "Fortigate Server" subnet.


Your help will be appreciated. (In case this solution is not possible, I will create a tunnel IPsec From the Mikrotik router and the Fortigate Server and that's all.)


Can't wait your expertise about this topic !


See you soon guys.


I would personally avoid the hustle and just create an IPsec between the two.


This is possible. There's no reason for it not to work assuming things are configured properly.

You just need to figure out what the issue is that's blocking it. Without more info we can't really help you though.


Do you have routes configured properly on all devices?

Do your IPSec tunnels allow the encryption/decryption of traffic from all subnets involved in the traffic flows?

Do you have firewall policies allowing all traffic everywhere in the chain?


What do your traceroutes look like?

What do your IPSec debug logs look like?


Etc. etc. etc.


New Contributor III

Hello Funky, you mean that passing through more than 1 tunnel is not good for security or some reasons?


Hello Graham, I will answered you as soon as I come back home !


Many thanks




Here is the rational:


  • If the LAN/Microtik does not need to communicate thru the first IPSec tunnel with other networks reachable thru the Main FortiGate (other than Server/FortiGate Server)



  • If the Main FortiGate does no apply security services that that FortiGate Server does not; like doing UTM.



  • Or you need the visibility of the LAN/Server traffic in the Main Fortigate for auditing or reporting as the FortiGate server is not under the same administrative control


Then the hassle of 2x IPsec configurations and the added complexity to operate and troubleshoot does not make sense. It is not a security issue per se.


Still as a general principle, complexity is not a friend of security...


It is possible. Here are a few things you can check are configured properly:

I am assuming that your tunnel from mikrotik to Main fortigate and from Main Fortigate to Fortigate server is working fine and that your issue is for passing traffic between Mikrotik to Fortigate server and vice versa.

IP Sec Phase 2 selector:

On edge fortigates: Make sure the Fortigate server is added as remote subnet on Mikrotik and local subnet is selected as the Mikrtotik lan that you want to have access.
Same thing on the Fortigate server side. Make sure you have Fortigate server subnet as local and Mikrtik lan is remote subnet

On Main Fortigate: Make sure you add phase 2 selectors with Mikrotik as local and Fortigate server as remote and also with Fortigate server as remote and Mikrotik as local subnet.

Firewall polcies:
You have to add 2 Firewall policies on all these fortigates: Ip sec tunnel ---> local subnet. Local subnet -----> IP Sec tunnel.
Make sure you allow the relevant subnets to pass in the firewall policy.

Static Route:
You will also need static routes for the relevant subnets out the IP sec tunnel.

Here is an IP Sec troubleshooting document you can refer to for troubleshooting:

If you run into any issues, let me know.


New Contributor III

Many thanks for your help everyone.


The Mikrotik is configured in full remote browsing until the Main Fortigate, then even if I create a second tunnel toward the Fortigate Server, I cannot access to the servers if I don´t disable the Remote Browsing tunnel. I can understand why, but I think that's why I need to passing through both IPsec tunnel, or maybe you have another solution?

EDIT: F**k, as soon as I changed the order of the tunnel in my Mikrotik, everything worked well.. I can understand the importance of the order of tunnels now !


Many thanks !


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors