Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dqnam277
New Contributor

Created on ‎01-25-2026 11:58 AM

IPsec Remote Access VPN behind another FortiGate – possible design or workaround?

Hello Fortinet Community,

I am working on a lab / design scenario and would like to ask for guidance on whether this setup is technically supported or if there is a recommended workaround.

A FortiGate External is deployed at the edge (Internet-facing)

A FortiGate Internal is deployed behind it

The Internal FortiGate is intended to terminate IPsec Remote Access VPN (FortiClient)

The External FortiGate acts only as a border firewall (NAT / routing)
So i wanna ask you whether my topology working normally, if yes, can you guide me how to deploy, thanks very much
image.png

Labels:
47
0 Kudos
1 REPLY 1
AEK
SuperUser
SuperUser

Created on ‎01-25-2026 12:54 PM

Hello

Sure it is technically possible. If you use UDP (default), on ext-fw just forward the incoming UDP-500 and UDP-4500 from WAN to the int-fw (using DNAT or just routing depending on the case), and allow outgoing UDP-500 and UDP-4500 from int-fw to WAN (using SNAT or just routing depending on the case)

But I wonder if it is a more correct design to setup the internal firewall as VPN server or to setup the external one. I guess the external one.

AEK
AEK
35
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.