Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Static Route for IPSecVPN


Kindly i have a question which is 

I configured a VPN ipsec Custom between 2 site ,Dial UP 

but i discoved that i have to create Static Route on both FortiGate devices to reach them from each site 

so i have a concern why i need to create Static Route 

Why there is no reachability without static route although on the VPN setting there is a creation for Local Subnet and Remote subnet

So kindly advice


Hi mhanna, 


A static route is necessary to ensure that traffic is going via the correct interface. 

In the VPN setting, for phase2 when you add a local subnet and a remote subnet, this ensures that traffic between these two subnets can flow over the VPN tunnel. For routing, you need to have a static route configured.

It is also advised to configure a black hole route to ensure that VPN traffic does not get routed towards the internet incase your VPN tunnel is down. 


Details here:


Thank you. 



New Contributor II

By default, FortiOS automatically adds "static" routes to the destination of phase-2 selectors when the phase-1 is of type "dynamic".

Look for the "set add-route enable" command in phase-1.


FGT-01 (root) # config vpn ipsec phase1-interface

FGT-01 (phase1-interface) # edit TEST-VPN-P1
new entry 'TEST-VPN-P1' added

FGT-01 (TEST-VPN-P1) # set type dynamic

FGT-01 (TEST-VPN-P1) # show full | grep add
set add-route enable

FGT-01 (TEST-VPN-P1) #

Without this, or when using 0/0 in phase 2, you will need to use static routes.


If you want to see what routes are being injected into the static RIB by the IPsec engine, then use:

diag vpn ike routes







Thanks for your reply , 

Okay but why both firwall cant ping its interfaces 

i mean when i tried to ping the remote firewall interface from the local firewall console

there is no ping happen and vice versa 

but in same time i can ping all subnet in two way by my labtop

The only way that allowed me to ping both firewall from their console when i use the command

execute ping-option source interface port1 x.x.x.x

but i use command 

execute ping x.x.x.x

its not pingable

So where do you think the issue


Most likely, your IPsec tunnel interfaces do not have IP addresses on them.

When you execute a ping on a FortiGate, FortiOS does a route lookup for the destination IP to calculate the egress (outgoing) interface.

If you have not specified your source IP ("execute ping-option source ..."), then FortiOS uses the egress interface IP address as the source address of the ICMP packet.

In your case, this is therefore the tunnel IP address - which is likely to be "". 



Contributor II

This is actually an interesting question.

On the one hand, why should we add a "static route" why the local/remote subnets mentioned in the selectors. On the other hand, it is what it is :)

Anyway, In thinking this through, and by looking at the comments:

1. a suggestion for 'add-route" is equal to a static route. The difference is that one is automatic static route "add-route", and one is manual, by adding manually a static route.

2. Two solutions I can think about:

2.1 ADVPN with iBGP

2.2 policy based IPSEC VPN


Even the "mode-cfg-allow-client-selector" would need the "add-route" for the selectors for work in a dialup VPN with mode-cfg enabled.

Am I wrong ?



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors