Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Firewall Policy Problem: VIP & IPSec


I am new to Forum an I hope someone can help me.


I have two Fortigates connected via IPSec.

On site A, I have a Server with internal IP and external ip on wan1.

I created a VIP:

config firewall VIP

edit "myVIP" set extip set extintf "wan1" set mappedip "" next


I created a Policy that allows Port 443 from the Internet. works fine.


My Problem is: I want, that VPN Site B is able to connect to RDP (TCP 3389) over the PUBLIC IP using the IPSec Tunnel instead of using

All I can see in Debug is: msg="pre_route_auth check fail(id=0), drop"


Whats wrong? 


Can someone help me?





hi, is simply not behind the VPN tunnel - see phase2, Quick Mode selectors. Even if you work with wildcards, the routing will point to the 'wan' interface instead of the tunnel IF.

You cannot just create a static route, pointing to the tunnel IF - now the tunnel won't find it's remote gateway anymore.

The flaw is in the design. Rethink your intentions.

Just my .02$

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
New Contributor

Thank you for the quick reply!

OK I understand what you mean.


The backgroud is, It would be comfortable for the remote users to use as target for RDP, because the should not bother which private IP they have to use.


I don´t want to open RDP over the Internet so I could solve IT with DNS on Site B: -->




Valued Contributor

DNS is best, will keep things seemless for users and will be better than how you are originally going about it.

Mike Pruett Fortinet GURU | Fortinet Training Videos

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors