This is a sample configuration of site-to-site IPsec VPN that allows access to the remote endpoint via SSL VPN.

This example uses a pre-existing user group, a tunnel mode SSL VPN with split tunneling, and a route-based IPsec VPN between two FortiGates. All sessions must start from the SSL VPN interface.

If you want sessions to start from the FGT_2 subnet, you need more policies. Also, if the remote subnet is beyond FGT_2 (if there are multiple hops), you need to include the SSL VPN subnet in those routers as well.

Sample topology

Sample configuration

To configure the site-to-site IPsec VPN on FGT_1:
  1. Go to VPN > IPsec Wizard.

  2. In the VPN Setup pane:

    1. Specify the VPN connection Name as to_FGT_2.

    2. Select Site to Site.

    3. Click Next.

  3. In the Authentication pane:

    1. Enter the IP Address to the Internet-facing interface.

    2. For Authentication Method, click Pre-shared Key and enter the Pre-shared Key.

    3. Click Next.

  4. In the Policy & Routing pane:

    1. Set the Local Interface to the internal interface.

    2. Set the Local Subnets to include the internal and SSL VPN subnets for FGT_1.