VPN Site to Site

HS08 · ‎09-15-2025

I build site to site vpn connection from fortigate in HQ and sophos xg in branch.

In the tunnel interface in fortigate listen on port8 with ip address xx.xx.xx.230

The vpn connection is established, the branch and hq can communicate but if i traceroute from branch to hq i feel strange why the traffic passing thru another ip in fortigate xx.xx.xx.246 and not to xx.xx.xx.230?

Here my tracert result

Tracing route to 10.7.208.52 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.108.150.1
2 22 ms 16 ms 20 ms xx.xx.xx.246
3 29 ms 20 ms 20 ms 10.7.101.2
4 21 ms 23 ms 18 ms 10.7.208.52

princes · ‎09-18-2025

Hello HS08,

It might be the interface index selected instead of tunnel interface.

Kindly check the below for reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-tracert-traceroute-behavior-over-IPsec-VPN...

Regards,

Prince

Best regards, Prince singh Fortinet EMEA TAC Engineer

View solution in original post

Stephen_G · ‎09-18-2025

Hello HS08,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen - Fortinet Community Team

princes · ‎09-18-2025

Hello HS08,

It might be the interface index selected instead of tunnel interface.

Kindly check the below for reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-tracert-traceroute-behavior-over-IPsec-VPN...

Regards,

Prince

Best regards, Prince singh Fortinet EMEA TAC Engineer

HS08 · ‎09-18-2025

make sense, when i assign ip address to the tunnel interface now the tracert showing right path.

Toshi_Esumi · ‎09-18-2025

Traceroute's host IPs in the output is just host IPs. Not necessarily ingress or egress interface IPs. They're just to "identify" the hosts.

Toshi

VPN Site to Site

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website