Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Link two PCs over two Fortigates

Hi guys,

I want to link two PCs over two Fortigates through a VPN tunnel (cf. attachement)

Ws1 has to communicate with Ws3.

Ws1 is behind Fortigate1(60D) and Ws3 is connected to Fortigate2(60D) from another site by SSL VPN.

With the IPsec wizard, I have linked Ws1 and Ws2.

And with the SSL-VP Portal, I have linked Ws3 to Ws2.

Now I want an idea to link Ws1 to Ws3.


I answered to an almost exact same question about a month ago, which I can't find it's just...

SSL VPN client <--(SSL VPN)-->FGT<--(IPSecVPN)-->FGT<->host

You need to take care of three things:

1. routing from/to source to/from destination

2. policies on the FGTs

3. phase2 selectors for IPSec


Depending on your SSL VPN setup the routing would vary. Let me ask you below:

a. Is SSL VPN split-tunnel or non-split?

b. Is the SSL VPN policies to allow destinations NATed or no NAT?



Thank You Toshi for reacting.

a) The SSL VPN is split-tunnel

b) SSL VPN is gonna use a NAT translation


Then, for the client routing, you have to set the destination subnet as a part of routing address at the portal. You should check the routing table on the client machine once it's done.

If you use NAT for SSL VPN policy, the source IP for the packets go across the IPsec VPN use the tunnel interface IP. Make sure you configured the tunnel IP on both ends. Two /32 IPs work on both ends but generally recommended to pick ones in a /30 range, like and Then the other side of FGT knows where to route the returning packets.


Probably you took care of sets of policies on both ends. Since you're NATing, it's one way access. So you need only one policy on each FGT.


Then lastly make sure the phase2 selectors includes the access from the source tunnel IP, like, to the destination subnet.





I think the most easiest way yould be to change the private subnet of ws3 in order to not have overlapping subnets as ws3 is not directly connected to the second FGT.

Than the split tunnel to ws1 only needed to push a route to ws3 subnet to ws1 and the FGt too need routes and policies.

Overlapping subnets always create a load of fuss as you would have to translate them somehow to be able to route trafic.


there is some kb and cookbook articles on vpn with overlapping subnets:


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors