OK, so you’ve created your ipsec vpn tunnels and added the corresponding static routes, but which path does the VPN traffic take if your tunnel is down ?
Right, it uses the next best route in the routing table and chances are this is your default route pointing to your internet router…
But luckily you did add a blackhole route for this traffic, preventing this:
So next time your VPN tunnel is down, traffic will be dropped by the Fortigate and not use your default route again.
Or you can use the CLI for this:
config router static edit 0 set blackhole enable set dst 172.16.0.0/12 next end