Welcome to the forums. Do you have the correct policies in place as well?

Hello I have the following routing policy IP 192.168.4.0/255.255.255.0 Device Castellana (The VPN I created) BTW, using diag debug flow I notice that rxp and txp packets are increasing, so I don' t think it has to do with the VPN, rather than the routing or the firewall policies (that are configured to allow anything between internal and VPN both ways)

Do you have a reverse route on other end of the vpn tunnel, so that 192.168.3.0/24 network can be reached via TP-LINK TL-R600VPN (vpn interface).

Hello Maybe you can get something from this cli log I made, this log is the result of a Ping between 192.168.3.23 and 192.168.4.100, the ping didn' t respond but here is the log CXRFTG # diag debug enable CXRFTG # diag debug flow filter daddr 192.168.4.100 CXRFTG # diag debug flow show console enable show trace messages on console CXRFTG # diag debug flow trace start 1000 CXRFTG # id=13 trace_id=1001 msg=" vd-root received a packet(proto=1, 192.168.3.23:1->192.168.4.100:8) from internal." id=13 trace_id=1001 msg=" allocate a new session-00b43f7f" id=13 trace_id=1001 msg=" Match policy routing: to 192.168.4.1 via ifindex-30" id=13 trace_id=1001 msg=" find a route: gw-192.168.4.1 via Castellana" id=13 trace_id=1001 msg=" use addr/intf hash, len=4" id=13 trace_id=1001 msg=" find SNAT: IP-192.168.3.1, port-62464" id=13 trace_id=1001 msg=" Allowed by Policy-9: SNAT" id=13 trace_id=1001 msg=" SNAT 192.168.3.23->192.168.3.1:62464" id=13 trace_id=1001 msg=" enter IPsec interface-Castellana" id=13 trace_id=1001 msg=" send to IP-B via intf-wan1" id=13 trace_id=1001 msg=" encrypting, and send to IP-B with source IP-A" id=13 trace_id=1002 msg=" vd-root received a packet(proto=1, 192.168.3.23:1->192.168.4.100:8) from internal." id=13 trace_id=1002 msg=" Find an existing session, id-00b43f7f, original direction" id=13 trace_id=1002 msg=" SNAT 192.168.3.23->192.168.3.1:62464" id=13 trace_id=1002 msg=" enter IPsec interface-Castellana" id=13 trace_id=1002 msg=" send to IP-B via intf-wan1" id=13 trace_id=1002 msg=" encrypting, and send to IP-B with source IP-A"

If I read your post correctly you have created a Policy Route, not a regular static route - is that correct? You would only need a Policy Route if the decision which route to take was NOT the destination address. In your case, a regular static route will do and should be used. Besides, the log shows that the traffic enters the tunnel but reply traffic is never seen. I suspect that there is no route on the other end for 192.168.3.0/24 pointing to the VPN. BTW, I' d obfuscate the public addresses in the log. You can still edit your post at this time.

Hi. Thanks for the answer, as you correctly stated, I had a policy route through the VPN (left only the static route I stated above), I removed it and the VPN from the TP-LINK side works for all of the 192.168.3.0/24 of the Fortigate side, however, the VPN from Fortigate to TP-LINK doesnt work, even though I can make a PING to the 192.168.4.1 TP-LINK gateway Is that a problem on Fortigate side or on TP-LINK?

Do you have both policies on the FGT, i.e. - FGT-LAN to TP-LAN and - TP-LAN to FGT-LAN ? If yes, then look at the TP side for missing policy, ACL, access rules, whatever... It is not routing - the FGT receives the reply traffic fine!