Hello All and thanks for the help in advance:
I have two Fortgate firewalls I have inherited and I am in need of some help. At the head-end, I have a 90D and at the remote-end, I have a 90E. The IPSEC tunnel had been created and I am trying to add in a route to a new network at the head end.
So the network looks something like this:
192.168.20.0/24
192.168.1.0/24
-------------------
90D (192.168.1.28)
-------------------
Internet
-------------------
90E (192.168.2.253)
-------------------
192.168.2.0/24
I can get from 192.168.2.0 to 192.168.1.0 with no issues. That was the IPSEC tunnel that was created before. I am trying to add 192.168.20.0
Attached to the 90D, I have a Cisco L3 switch (192.168.1.2) that acts as the router to the 20 network. The Cisco has a default route to the 90D (192.168.1.28) From the 20 network today, I can surf the web which is out of the 90D, but I cannot get to anything in the 192.168.2.0 network on the other side of the tunnel. Nor can I get from .2 to anything on the .20 network
Traceroutes from the 192.168.2.0 to the working 1 network shows (from 192.168.2.95 to 192.168.1.250):
Tracing route to 192.168.1.250 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.253
2 35 ms 37 ms 36 ms 192.168.1.28
3 37 ms 36 ms 37 ms 192.168.1.250
Trace complete.
Traceroutes from the 192.168.2.0 to the new 20 network show (from 192.168.2.95 to 192.168.20.53):
Tracing route to 192.168.20.53 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.253
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
I have added static route to the 90E, I thought that would fix the problem. However, all I can do is tell it that the endpoint is the tunnel, not the router on the other end (192.168.1.2)
Any help would be appreciated.
Thanks again
Did you configure a set of tunnel interface IPs on both ends of the tunnel? Just need to point the static route for .20.0/24 to the remote-ip (as gateway) and specify the tunnel name (as device).
Make sure that the distance is SHORTER than that of the default gateway. Leave it at 10 and you'll get nowhere, usually.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Lowered it, but it made no difference.
Thanks!
Distance 10 shouldn't become a problem unless there is the same prefix/length existing in the routing-table.
What does your routing table look like?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
If the tunnel phase1-name is "tun1" and the remote-ip is 10.0.0.2 like below, you can configure a static route like below.
config system interface
edit tun1
set ip 10.0.0.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.0.0.2 255.255.255.255
set interface "wan1"
next
end
config router static
edit 0
set dst 192.168.20.0 255.255.255.0
set gateway 10.0.0.2
set device "tun1"
next
end
The tunnel exists and works to and from 192.168.1.0 to 192.168.2.0. The issue is adding the 192.168.20.0 route. The only option when creating a static route is to tell the FortGate to send the traffic for 192.168.20.0 to the tunnel. I would think I need to tell it to send the traffic to 192.168.1.2 (The Cisco)
Thanks!
Just adding to this.
config router static edit 1 set gateway 12.43.15.225 set device "wan2" next edit 2 set gateway 14.100.22.65 set device "wan1" next edit 3 set dst 192.168.1.0 255.255.255.0 set device "To_HQ" set comment "VPN: To_HQ (Created by VPN wizard)" next edit 4 set dst 192.168.1.0 255.255.255.0 set device "To_HQ_WAN2" set comment "VPN: To_HQ_WAN2 (Created by VPN wizard)" next edit 5 set dst 192.168.1.0 255.255.255.0 set device "To_REM2_HQ1" set comment "VPN: To_REM2_HQ1 (Created by VPN wizard)" next edit 6 set dst 192.168.1.0 255.255.255.0 set device "To_REM2_HQ2" set comment "VPN: To_REM2_HQ2 (Created by VPN wizard)" next edit 7 set dst 192.168.20.0 255.255.255.0 set distance 5 set device "To_HQ_WAN2" next end
FGT90E4Q17002511 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [10/0] via 14.100.22.65, wan1 C 14.100.22.64/28 is directly connected, wan1 S 192.168.1.0/24 [10/0] is directly connected, To_HQ_WAN2 C 192.168.2.0/24 is directly connected, internal S 192.168.20.0/24 [5/0] is directly connected, To_HQ_WAN2
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.