Hi guys, I'm trying to work out how to get traffic from my local LAN to secondary remote IPSEC networks. For example: home <----> work <--> remotesite (where each of the links is an IPSEC tunnel). If I use Forticlient I can do this fine by: - define phase2 dst & src subnets as 0.0.0.0/0.0.0.0 - existing routes from work --> remotesite still function as expected - make sure local client routes 192.168.0.0/16 over IPSEC gateway address - setup policy on fortigate as follows: incoming interface: Forticlient interface outgoing interface: remoteVPN interface incoming subnet: Forticlient Range outgoing subnet: remote range ports etc: as required I can add a specific P2 route by using /ip ipsec policy and this is working OK - but only for the specific subnet that I define in the policy. What I want to do is create a generic policy that only routes traffic via the IPSEC tunnel when it needs to - and not - when it doesn't need to. But... the issue here is I can't define a route - because there's no virtual interface associated with the IPSEC tunnel (whereas on Fortigate you do get a virtual interface that can be referenced in policies / routes etc). And you can't use a standard route, because the gateway in this case is remote (i.e. it's the router at work). If I try to setup a 0/0 P2 it breaks the VPN completely. Any tips for how I might go about making a more generic / scalable approach here?