Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Route from 1 Site to Site to another Site to Site

Dear All,


It's my first time to make a post. I've been using this forum as references concerning my day to day administration of our FortiGate devices. This forum has been informative and I hope I could contribute and be able to help others. Right now I, have some problem with my fortigate. I've been struggling with it for a while and I think it's time to seek help. I encourage anyone to jump in and join the discussion.


This my scenario:


We have 2 offices, Head Quarters and a remote branch. These two sites are connected with IPsec Site to Site vpn. Servers and services in the HQ are accessed by the remote branch using this vpn. Recently we acquired Azure services. We placed some of the servers in azure. HQ and Azure have a route based site to site vpn connection. So servers in azure are accessible in HQ. My problem is with the remote branch, it cannot access the servers in Azure. Although this can be resolved by creating a site to site vpn between Azure and remote branch but, management is reluctant in doing that as it involves another cost. To resolve this problem, I was thinking of using the existing vpn  tunnel of JHO and Azure. So basically access from remote branch will pass through the vpn tunnel to HQ and then pass to the vpn tunnel to Azure (please see illustration in red line). Can someone please give me the direction on how to achieve this, or if this even possible with my current Fortigate devices.


HQ Fortigate Device: FG 200E

Remote Branch Fortigate Device: FG 50E


Network illustration



Hi john


please follow the below step.


1. add a new route in your branch firewall.

    destination --> Azure local ip ( eg:

    device -->vpn tunnel to HO

    distance --> any


2. Create a new Ip pool with any free IP from HQ ip range in HQ firewall ( if HQ ip is then create a new ip pool with IP pool can create under firewall-->ippool

3. create a policy in HO firewall from Branch(fortigate 50E) VPN interface to Azure VPN interface and enable NAT with Dynamic and point created NAT ip pool


now when you try to access the Azure address from branch it will route through ipsec tunnel and traffic will pass with HQ ip ( which is trusted by Azure.



please check and update.







It not working, can anyone do it live

Top Kudoed Authors