Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Routing Question Across Site-to-Site VPN

Working on a client build.


Site X has a Fortigate cluster, and uses split into /25 for corp wired and wireless.


Site Y has a Fortigate cluster as well, and has a network and other networks.  The Fortigate interface is  The is an old MPLS circuit that will soon be retired (within the next few months).


Traffic from Site X to Site Y works for other networks besides  When I try and reach a server - it fails.  In checking into it, the server and some other older gear has a gateway of (the MPLS), and the MPLS has no route for so the traffic drops.


I have temporarily worked around it by putting a persistent route on the server redirecting through and that resolved it.


I hate using these sorts of 'kludges' when I'm pretty sure there's another easier way I could have done this through the Fortigates.


Both sites are on 6.0.11 if that makes any difference.




Do you have static routes to the opposite subnet(s) on you FGT Clusters?

Usually you need static routing on both S2S VPN Endpoint plus some policy to allow traffic.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Valued Contributor

Hey Brent,


I'm afraid what you call a "kludge" is basic routing.  You can't fix the problem with the FGTs if the traffic never reaches a FGT, which it sounds like is the case since the default gateway on the server sends the traffic to the MPLS router instead of the FGT.


Either change the default gateway on the server so it sends all traffic to the FGT or add a route on your MPLS to send that traffic to the FGT.  Or, if neither of those solutions are practical for one reason or the other, then I think you've done the best thing you can do already.


- Daniel


Yeah - we have routes on both IPSec VPNs for these networks.


I was racking my brains to see if I could work around this at the firewalls - but I don't think I can.


The MPLS needs to be the default gateway for this server for various reasons, within the next 6 months or so it will be going away and the firewall will take over as the gateway.


Thanks for the help, gents.


Stupid setup... :)


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors