Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSEC VPN Tunnel - Cannot access both Fortigates

Hello everyone,

This is my first post on this forum. I hope I can come to contribute, but right now I need your help.

I have an IPSEC tunnel configured between two fortigates (61F and 40F). The tunnel is up with both phases (1 and 2) up. The ftg 61F has the ip on the lan interface and the ftg 40F has the ip on the lan interface. I can ping from one fortigate to another just by indicating the ping-options source ip. On ftg 61F I have an SSL VPN configured and I can access ftg 61F ( via http, but I can't access the fortigate 40F via http. Any suggestion?


Hey silvajo,

welcome to the Forums :).

Regarding accessing your FGT40F from SSLVPN, the connection goes something like this, correct?
client -> sslvpn tunnel -> 61F -> IPSec -> 40F
Check the following:
1. you have a policy from ssl.root to IPSec on the 61F (with destination the 40F IP)
->I would strongly suggest to enable NAT here, and NAT to an IP in the range; this might require creation of an IP pool
-> that way, the SSLVPN tunnel IP is NATed to a LAN IP on the 61F and can enter IPSec without changes to P2 Selectors in the IPSec tunnel
2. If you don't want to NAT the traffic on 61F, do the following:
-> add SSLVPN tunnel range to the P2 Selectors
-> on the 40F, ensure there is a route back for the SSLVPN tunnel range through IPSec tunnel


Additionally, if your SSLVPN setup is with split-tunneling enabled, ensure that the 40F IP is added as a destination in the split-tunneling setup

And lastly - I would recommend admin access via https, not http :)


I hope this gives you a place to start.


+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
New Contributor

Hello Debbie, 

Many thanks for the reply. I've already set up the policy with the given indications, but even so, I can't get to the branch's fortigate (40F). Please see attached images.




Any suggestion?


Best wishes for a great Christmas :)


New Contributor

I forgot to mention.... my tunnel FILIAL->SEDE is BRANCH (61F) -> HEADQUARTERS (40F).


And i do not have traffic in the tunnel...



You're using the same subnet range with Sede side for NAT outside IPs for the SSL VPN access to Sede, which is conflicting. (>

What Debbie is suggesting is to grab/reserve one IP in Filial's and use it for the NAT. So all SSL VPN clients to Sede has 10.2.10.x ->, which is already included in your IPSec phase2 network selector sets. Unless you need to access back from Sede side to each Filial-connected SSL VPN client, just one NAT IP wouldn't cause a problem.




Thank you for clarifying my intended solution, Toshi :)

@silvajo, exactly as Toshi noted, I meant to suggest using an IP from the LAN side of your 40F to go into the tunnel, my apologies if this was unclear

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
New Contributor

Hi. Thank you very much for your answers and sorry but I'm new to this stuff.
Headquarters Network -
Branch Network -


On my 61F Policy i have this config.




Incoming Interface: SSL-VPN Connetion

Outgoing interface: FILIAL_TO_SEDE (tunnel between 61F and 40F)




Yours Sugestions

"grab/reserve one IP in Filial's and use it for the NAT" or " I meant to suggest using an IP from the LAN side of your 40F to go into the tunnel"


Firewall /Network Options

NAT: Enable

IP POOL: what ip pool should i define here? How can a reserve an ip? This ip sould be from de 61f subnet ( or from the 40f subnet (


Hey silvajo,


thanks for the screenshot, very useful :).

For NAT - create an IP from the 61f subnet, ( for example, just the one IP), and use that pool in the policy.

Regarding reserving an IP - if FortiGate serves as your DHCP server on the lan interface, just set the range to only go up to .249 for example, so that .250 can't be assigned. If you have an external DHCP server, make sure the IP you use for NAT here can't accidentally be given to a DHCP client.

Regarding the policy:
- question: as source you have sslvpn interface (correct) and LAN subnet. I wonder at the LAN subnet here. As source in sslvpn interface, you will usually want whatever IPs you use in the SSLVPN tunnel settings (by default SSLVPN_TUNNEL_ADDR address)


also - we were under the impression your setup was sslvpn -> 40F -> ipsec -> 61F, not sslvpn -> 61F -> ipsec -> 40F, our apologies. if your 61F is the bridge between sslvpn and IPsec, you will want to set up NAT with 61F lan IP.



+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors