Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate as SSL VPN Client - Reverse Path routing possible?


I have setup a FortiGate 40F as a SSL VPN Client behind a StarLink CGNAT connection to a FortiGate 40F on a normal public IP connection, because StarLink is problematic with IPSEC VPN and I wasn't able to get dialup NAT-T to work...


[FG 40F - Site1 - Public IP]
FortiGate IP:
Local LAN Subnet:
SSL VPN Server, SSL IP VPN Pool: -
No VPN static routes

Firewall Policy (ssl.root) to (lan) allowed
and (lan) to (ssl.root) allowed

[FG 40F - Site2 - CGNAT]
WAN: CGNAT Restricted
FortiGate IP:
Local LAN Subnet:
SSL VPN Client connected to Site 2 - assigned SSL VPN IP
No static routes for VPN or Firewall Policies


I can succesfully ping from Site2 with no issues and access any resources - as expected as a VPN Client of Site1...


BUT I can't ping anything from Site1 to Site2 e.g. the assigned IP or despite trying several combinations of firewall policies...


Has anyone tried to do reverse path routing with a dialup SSL VPN?? Is this possible?





New Contributor

Just an update - TAC Replied and it turns out that this is not supported, the traffic is one way only, quote

"As per checking, this is the expected behavior of FortiGate as SSL VPN Client. Only traffic sourcing on the FortiGate client will be allowed since the dynamic routes are only being added to the FortiGate client. This behavior is normal for a remote users connected via SSL VPN. "


I think it's because the SSL VPN client Fortigate gets one single IP from the server, just like any other SSL VPN client device, and everything behind of it is NATed with the IP. So anything behind the server FortiGate wouldn't be able to see the local subnets on the client side.

I'm wondering what would happen if a unicast routing protocol like BGP is set up between the server and the client IP (the server has to assign a specific IP to that particular client, which might not be possible with SSL VPN server config), then advertise the client side subnets to the server side.

Likely a new feature request though.




Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors