有老哥比较熟悉 fortinet 防火墙吗？

上海和合肥办公室用两台防火墙组了 ipsec ， 其中上海内部有一个 openwrt 和国外的一台虚机组了 wireguard.

现在情况： 1 ）上海内部在防火墙的策略路由下，特定域名可以走 openwrt 至国外出去访问 2 ）上海和合肥办公室 ipsec 隧道正常， 局域网互通，合肥客户端和 openwrt 可以互 ping 。 3 ）如果合肥防火墙做策略路由，特定域名没办法通过 ipsec 走上海的 openwrt 。

看过一个官方文章提到 “Technical Tip: Configure policy routes for route-based (interface-based) IPsec VPNs Description This article describes how to configure a policy route that only certain traffic will traverse through a route-based IPsec VPN tunnel.

Solution Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does. The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface, and use the 'Remote IP as the gateway IP address in the policy routes.”

于是，我在上海和合肥两端的 ipsec 接口中的寻址模式，添加 ip 和远程 ip 。两边客户端与这两个 ip 互 ping 没有问题。

但是，合肥的策略路由还是不起作用, 目标地址，数据包到不了上海。