Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Routing Internet IP via IPSEC

fortigate 60E 6.4

as an example i'm trying to route via ipsec tunnel  router1 to router2  

Router 1

Router 2

I can ping anything on router 2 so i can confirm the tunnel is up

but when i try to traceroute it hangs at my router.

can you help me figure out what i'm doing incorrectly? 





I have an FQDN that resolves with its 2 addresses  named test


I have policy that routes

incoming interface inside 

outgoing router1 to router2 

source all

destination test

schedule always

service all

action accept

inspection mode flow based


firewall NAT enabled 

no security profile 

log enable 

policy enabled 


I have a static router set 

named test

interface router1 to router2 

admin distance 10 


I can run a policy lookup 


protocol ip

protocol number 1


destination test 


it will show that the above policy is the one selected 







Not clear about the topology. Is the 60E = Router2? Or, it sits inbetween Router2 and Internet?

New Contributor

both routers are 60E's   

LAN Traffic to needs to go from router 1 to router 2 then to the cloud 

there is a tunnel already setup between the 2 gates 





note is just an example and not the actual website i'm trying to route but used for the example only.  so if router 1 public ip  is and router 2 then would show as the ip i'm coming from.  currently is just stopping at router1  


You must have a set of inbound and outbound policies on both ends without NAT to let and talk each other over the tunnel. Then your test route pushes traffic to the destination into the tunnel, if the phase2-selectors are including the destination:<->test. If you're using 0/0<->0/0 for the selector, it includes everything so that's not a problem.

New Contributor

Thanks NAT was the issue  

Top Kudoed Authors