Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Internet traffic goes through remote firewall using IPsec VPN tunnel

I have two firewalls A and B my requirement is that internet traffic of firewall A users goes through firewall B through an IPsec tunnel


in simple terms, I want that users on firewall A their public ip should be of site B


so should I have to edit some default route or what is the way to acheive this 


following is some links




which link is required for my query or the following option is required (use remote)

Use RemoteUse Remote




Hi Secsupport,


Let's suppose you have configured the VPN parameters and firewall policies as per the article mentioned. Regarding static routing, I will briefly explain you based upon the below diagram.


Let Fortigate A is connected to the internet via PORT1( IP address:

Fortigate B is connected to the internet via PORT1 ( IP address:

Here in Fortigate A, you have to configure two routes:

1. via port1 (to make the tunnel up)

2. via IPsec tunnel (to route rest of the traffic via IPSec tunnel)


Niroj Pariyar
New Contributor II

what about policies on both firewalls ?



incomming interface : lan

outgoing interface : ipsecvpn tunnel 

nat (enable/disable)?




incomming interface : ipsecvpn tunnel

outgoing interface :  wan

nat (enable/disable)?


kindly confirm what these rules or anyother required step

Secondly if one of the firewalls is behind the NAT then same steps will be required or different?




Hi Secsupport,


Regarding firewall policies:

On FortiGate A:

IPSEC tunnel to Port1 (enable NAT here) -- to allow internet access to VPN users coming from Fortiagate B


On Fortigate B:

Lan to IPSEC (without NAT)




Niroj Pariyar

Beware secsupport, I think you mix up FGT A and B. FGT A is the one with internet access.


As a FGT is not only a router, you need a couple of things in order to make this work:

routes - phase 2 selectors - policies - NAT

in detail:

1- a default route on FGT B pointing to the tunnel

1b- a route on FGT B pointing to FGT A's public address (the VPN gateway address)

1c- a route on FGT A with FGT B's LAN address, pointing to the tunnel


2a- on FGT B, phase 2 selector for "destination" is "" (source is FGT_B_LAN)

2b- on FGT A, phase 2 selector for "source" is "" (dest is FGT_B_LAN)


3a- a policy on FGT B to allow traffic to the internet (from LAN to tunnel, dest=ALL)

3b- a policy on FGT A to allow tunnel traffic to the internet (from tunnel to WAN, dest=ALL) - NAT enabled


As a rule of thumb, enable NAT only in the last policy facing the internet.

So, never on FGT B.


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors