Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
Contributor

Created on ‎01-11-2026 08:35 PM

VPN ipsec Remote Access up but no traffic

I try to build VPN remote access using ipsec to preparing upgrade my fortigate production from 7.2 to 7.6 on my lab.

My fortigate lab use version 7.6.4 and after i create vpn tunnel, the forti client is connected and get the ip address but the client is not able to reach to anywhere. The firewall policy and static routing was working fine.

Open case to the fortigate support and they also feel strange with this issue. Someone here can help how to toubleshoot?

Here my VPN config

===========================

config vpn ipsec phase1-interface
edit "VPN-RA"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha1
set add-route disable
set comments "VPN Remote Access"
set dhgrp 5 20
set wizard-type dialup-forticlient
set transport auto
set fortinet-esp enable
set ipv4-start-ip 10.64.200.20
set ipv4-end-ip 10.64.200.50
set dns-mode auto
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
next
end

 

config vpn ipsec phase2-interface
edit "VPN-RA"
set phase1name "VPN-RA"
set proposal aes128-sha1
set dhgrp 5 20
set comments "VPN: VPN-RA -- Created by VPN wizard"
next
end

 

Here my routing

===========================

config router static
edit 1
set distance 1
set sdwan-zone "SDWAN_INTERNET"
next
edit 2
set dst 192.168.100.0 255.255.255.0
set gateway 192.168.100.1
set device "port2"
next
edit 3
set dst 10.64.200.0 255.255.255.0
set device "VPN-RA"
next
end

 

Here my firewall policies

===========================

config firewall policy
edit 3
set name "LAN to LAN"
set uuid 9be61642-ebbf-51f0-c819-41d789e59def
set srcintf "ss_vlan100" "ss_vlan110" "ss_vlan120" "ss_vlan140" "loopback" "VPN-RA"
set dstintf "ss_vlan100" "ss_vlan110" "ss_vlan120" "ss_vlan140" "loopback" "VPN-RA"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

 

Here my forticleint status, i ping to my loopback interface but timeout

1.png

The routing was pushed to the client

2.png

Labels:
171
0 Kudos
8 REPLIES 8
funkylicious
SuperUser
SuperUser

Created on ‎01-12-2026 01:54 AM

https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/567401/dialup-ipsec-vpn-usin...

try and disable fortinet-esp command 

"jack of all trades, master of none"
"jack of all trades, master of none"
146
HS08
Contributor
In response to funkylicious

Created on ‎01-12-2026 05:55 PM

disabling the esp is not helping. I test when on forticlient connect using dns name then the forticlient is connected but not able to reach to anywhere.

But if i use ip address then i able to reach to anywhere, it's strange why can't reach to anywhere when use dns name.

98
funkylicious
SuperUser
SuperUser
In response to HS08

Created on ‎01-13-2026 12:46 AM Edited on ‎01-13-2026 12:48 AM

i would do the following:

- confirm that traffic is hitting the firewall while the client is connected to the VPN, doing either tcpdump/sniffer or debug flow ( i would turn npu-offload under phase1 or firewall policy, off just to make sure that you have traffic - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPsec-traffic-is-offloaded-for-im... ) 

- then i would test with the command diagnose firewall iprope flushhttps://community.fortinet.com/t5/FortiGate/Technical-Tip-Hidden-command-diagnose-firewall-iprope-fl... 

- if none of these work, then i wold reinstall FortiClient and rebuild the VPN profile in it and test again

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-No-bytes-are-received-when-connected-to-IP... 

"jack of all trades, master of none"
"jack of all trades, master of none"
29
0 Kudos
trhs1101
New Contributor II

Created on ‎01-13-2026 12:06 AM

I suspect you need to change the static route on your SD-WAN route. The distance is currently set to 1, change it to 10 as this is your default gateway presumably. 

61
0 Kudos
HS08
Contributor

Created on ‎01-13-2026 12:10 AM

How I can change the metric on sdwan? Checked static routing to the sdwan interface there is no metric.

Capture.JPG

58
0 Kudos
trhs1101
New Contributor II
In response to HS08

Created on ‎01-13-2026 12:11 AM

You need to do it via the CLI. 

Open the CLI:
config router static

edit 1

set distance 10

55
HS08
Contributor
In response to trhs1101

Created on ‎01-13-2026 12:18 AM

cannot be changed, try change to 10 but always back to 1.

49
0 Kudos
trhs1101
New Contributor II
In response to HS08

Created on ‎01-13-2026 12:20 AM

Apologies, just remembered that FortiGates SD-WAN routes can't be changed to 10 as it's the default for static routes. They can be changed to any other number though. Try changing it to 50. 

44
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.