Technical Tip: Fortinet Virtual Ethernet Adapter’s IP address is the default gateway for another client

Description

This article explains common behavior seen by users after connecting to the remote access VPN on FortiGate in full tunnel mode with FortiClient.

Scope

FortiGate when making connections to the remote access VPN.

Solution

When users connect to the remote access VPN (Dial-up IPsec or SSLVPN), the below behavior occurs where the Default gateway on one client may be the assigned IP address for another user's Virtual Adapter.

Client01

IP Configuration:

Route Table:

Client02

IP Configuration:

Route Table:

The Default Gateway of Client01 is the same as the assigned IP of Client02 10.212.134.201 on the Virtual adapter.

This behavior is expected when users are connected to the remote access VPN (including SSL VPN and Dial-up IPSec) using full-tunnel mode with FortiClient.

This behavior is caused by a limitation in Windows where a route entry cannot use its own IP as the gateway address. Instead, the gateway address is set to the assigned IP + 1.