Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Routing certain traffic over IPSEC VPN

We have site to site VPN between our remote sites and head - office. Both locations are using Fortigate firewalls. We have IPSEC tunnel up and running between these 2 sites. This IPSEC tunnel let our remote site access our servers on the network

Here is what we have under phase 2 on our remote firewall as well as head - office firewall:

Remote firewall phase 2:

Source :



Head-office firewall phase 2:




This is a route based VPN with policies for in/out traffic. On the remote site I have a Static route in place for traffic going to (server network at head - office). Static route looks like this: network then use device Interface Phase1 of VPN


We have some external server farms which are connected to head - office over IPSEC tunnel and this remote site also need to access those external farms. So rather than creating Site to Site VPN between remote site and external farms, I want to route remote site's traffic through our existing tunnel between head-office. Right now, traffic destined for network from remote site only travels over the VPN.


What changes can I make so I can route our remote site's traffic to external farm through our existing tunnel between head - office? Happy to provide more information as required. Thanks all






Valued Contributor

I highly recommend you establish a third IPSec Tunnel between the remote site and the server farm

Otherwise all your traffic will go from the farm into the head office, out of the head office and into the remote site and vice versa


BUT if you don't want that


You need to add the IP Range of the server farm to the P2 of the existing tunnel (create policies aswell)


You can now either use the head office to NAT the traffic OR add the new IP range to the P2 of this IPSec Tunnel aswell


Thanks for your reply mate. The reason I wanna route traffic through our HO is because we have MPLS between HO & external server farm so definitely I would like to route through HO


Could you please elaborate a little more on the second option? Does it mean I have to create another entry in phase 2 between HO and remote site for external server farms? Say external server farm network is, so is this what I need to configure on HO and remote site firewall:


Head - office firewall (New phase 2 entry)

Source: (external server farm network)

Destination: (remote site)


Remote-Site firewall (New phase 2 entry)

Source: (local subnet)

Destination: (external server farm network)


Static route on remote site:

If destination is then use device VPN phase 1 name


Is this what I have to do to achieve this? Also, do I have to create policies as well? 


Thanks mate :)



New Contributor

Hope this help. The configuration in details : Remote-Site Firewall Configuration - New phase 2 entry :     Source: (local subnet)     Destination: (external server farm network) - New Policy :     Source Interface : LAN Interface     Source Subnet :     Destination Interface : VPN Interface Name     Destination Subnet : - New Static route :     Subnet :     Device : VPN Phase1 name. Head - office firewall - New phase 2 entry     Source: (external server farm network)     Destination: (remote site) - New Policy :     Source Interface : VPN Interface Name     Source Subnet :     Destination Interface :  Server Farm Interface     Destination Subnet :      In this configuration, you need to edit the routing table of the mpls network to send the traffic to through the Head Office Firewall. If you can't edit the routing table of the mspl network, juste turn on NAT in the policy on the Head Office Firewall.




I have this same issue. The only difference is that our remote sites are not connected via VPN tunnel but via MPLS. 


On the remote site we have static routes to head office and in head office we have a tunnel. we want the remote sites to access resources in our external site via the tunnel. 

We did a trace route and discovered that the traffic drops once it reaches the MPLS interface on the fortinet. 


Really do not know what to do. Please help





Hello All, 


I finally solved this issue. 


My Current Set Up is as follows


Layer 2 MPLS Connection between Remote Site and HO 


IPSec VPN Tunnel Between HO and external (Lets call it Site A) 


Remote site needed to communicate with Site A through Ipsec VPN Tunnel existing in HO 




Remote Site

1. Create a static route from remote site to site A using HO interface address

2. Create an address object using the site A subnet  

3. Create a bi directional policy from remote site to wan with source address as Site A address object already created



1. Create an IP pool using one IP address (if you have multiple remote sites and you want to track connections to the tunnel from them, you'll need to create several IP pools all with one IP each)

2. Create a NATed policy from remote site to Vpn Tunnel using the IP pool 


The remote site should be able to connect to site A through the VPN


Thanks  ede_pfau for your help





Top Kudoed Authors