FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).config vpn ipsec phase2-interface edit set src-subnet nextend