Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IP Sec VPN With Cisco Layer3 Switch Subnets

Hello Team,

How to Access a Remote Subnet which is configured on a Layer3 Cisco Switch not on Fortigate Interface ?


Using FW 100D 

Suppose .. My HQ Fortigate Internal Interface(Port1) IP is which is Connected with a Cisco Layer 3 Switch (Gi0/1 - access vlan 10 and VLAN SVI is And have many VLAN's Configured on this Cisco L3 switch(IP Routing Enabled)

Cisco L3 Switch VLAN's

VLAN 11(Server) - (SVI VLAN 12(User) - (SVI VLAN 13(VOICE) - (SVI

Could you Please explain how can we access Server/User/Voice VLAN's Subnet from Branch Office Subnet

Branch office Fortigate has its Internal(Port1) IP which connects with a Cisco Layer2 Switch, All the Systesm connected to this Cisco layer2 switch getting IP Scope from Fortigate Firewall(Port1) - Subnet

Could you please Explain in this scenario how can i access my HQ Subnets and Branch Office Subnet and Vice Versa. Appreciate your Suggestions.


Hello GJ,


assuming you did the site-2-site IPsec between the FortiGates with the wizzard and the HQ FGT has all the routes to the local networks in place (,,, it should be fairly straight forward.


On the branch FGT you need to configure the routes to the networks on the HQ site going to the IPsec interface:

Via GUI navigate to Network -> Static Routes -> Create New


      Device: <IPsec_Interface_to_HQ>

   Repeat that for and


  Now create policies to allow the traffic between the networks and interfaces.

  For example: From IPsec interface -> port1, and vice versa


On the HQ FGT you need a static route to the network, also pointing to the IPsec interface.

Make sure you have policies to allow traffic from the branch (IPsec interface) to the local networks (port1), and also from the branch office to the local networks.


If you haven't created any site-to-site vpn between two FGs before the best option would be using IPsec wizard [Site to site] to create all config for one pair of source and destination subnet (<-> first. You can find some cookbooks for this part if you google it.  Then learn via CLI what the wizard generated under:

  • config vpn ipsec phase1-interface
  • config vpn ipsec phase2-interface
  • config firewall address
  • config firewall policy
  • config router static[/ul]

    Then modify those that includes to like to include all subnets on the switch. 

    I would assume static routes to get to the switch for those subnets are already there in the HQ FG but if not you need to add them. 

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Top Kudoed Authors