Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL-VPN traffic not passed through Site-to-Site IPSec VPN

I' m not able to access a branch office on the other side of an IPsec VPN when I SSL-VPN into the HQ. However I' ve found a workaround using IP Routing in Windows every time I connect, but I' m kind of curious why that' s required. HQ - FG110C, v4 MR3, Subnets, Branch Office FWF40C, v4 MR3, Subnet IPsec VPN (route/interface based) between the two offices. Works fine inside either office. SSL-VPN on the HQ FortiGate (IP Pool: Works fine to the HQ subnets. Split-tunneling is on. Policies on both FGs allow traffic to and from the ssl.root interface and the ssl.root subnet (172.32...) via the IPsec interface. Using FortiClient When I SSL-VPN into the HQ FG, I checked the IP Routes (Windows) and noticed that the and subnets were added, routed through gateway (the fortissl adapter gateway). So I just added a route: route add mask if 51 (where 51 is the fortissl interface id number) and blammo, traffic goes through just fine. Any idea why the branch office subnet isn' t automatically being handled by the FortiClient?
Valued Contributor

You need to add the network to your SSLVPN configuration so that the Fortigate pushes that network out to the FortiClient. Its done in the firewall policy in " destination address" .

FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiAP 220B/221B, 11C


Got it, thank you. For clarification, this is under the (HQ) wan1 -> port1, Action: SSL-VPN policy. The destination addresses listed there are what are sent to the SSL-VPN client.
Top Kudoed Authors