Hi All,
i have a question about IPsec Site to Site Tunnel ... while establishing the tunnel how is the configured source interface communicate to the destination tunnel address ??? is it through routing table or it just send traffic out of the configured interface ??????
Interface-based (or 'route based') IPsec VPN always needs a route to the destination subnet, pointing to the local tunnel interface. The phase1 and phase2 definitions won't suffice.
If you use the VPN Wizard, it will not only gather all phase1 and phase2 information but create a static route, address objects and policies for this VPN.
this is not what i meant not the tunnel destination network what i mean the destination tunnel IP the real IP that Source Tunnel connect to establish the tunnel.
Ah, sorry, my fault.
If you mean the remote public address of the remote VPN gateway, that is found via the routing table, like any other target. So it might be found using the default route, or any more detailed route you configure.
are you sure that its using the routing table because am configuring a source interface shouldn't it sent the packets out of this interface directly ???
Quite sure.
Try this: delete the default route, and watch the VPN. It will not connect. (Or I'll stand corrected.)
ede_pfau wrote:If the VPN isn't configured using the default gateway, then nothing will happen... For example, you have a second non-IPSec route to another entity over a different interface and have a VPN configured down there, killing the default gateway will have no effect on this traffic. There will already be a static entry for this separate entity.Quite sure.
Try this: delete the default route, and watch the VPN. It will not connect. (Or I'll stand corrected.)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
well i cant delete the default route  , but what you are saying mean that if you have load balancing default route you cannot create IPsec tunnel through one of the ISPs !!!
 , but what you are saying mean that if you have load balancing default route you cannot create IPsec tunnel through one of the ISPs !!!
sure i mean over SD WAN
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.