Skip to main content
Hieu
Hieu
Explorer
May 8, 2025
Solved

FortiNAC VPN management with FortiGate (IPsec VPN)

  • May 8, 2025
  • 1 reply
  • 771 views

Hi everyone,

I have a FortiNAC VPN management model with FortiGate (IPsec VPN).
I referred to the documents below but still do not understand some things:

https://docs.fortinet.com/document/fortinac-f/7.6.0/fortigate-vpn-integration/693309/what-it-does

https://docs.fortinet.com/document/fortinac-f/7.6.0/fortigate-vpn-integration/693309/configuring-fortigate

Please see the attached links for IP information, model, etc.

My questions:

Can FortiNAC's Isolation Interface (10.1.3.71/24) be used for both SSL VPN and IPsec VPN?

Where does the Isolation IP range 10.5.254.11 - 10.5.254.99 come from? Where is the gateway of that range?

When is the IP range 10.5.254.11 - 10.5.254.99 used?

Best answer by ebilcari

Based on the mentioned IP subnets I guess you are referring to this article: Technical Tip: A simple network example of deploying VPN management with FortiGate

 

Yes, the same isolation interface can be used in FNAC and dedicated to all VPN integrations. It is recommended to configure the 'Layer 3 Virtual Private Network'. The main scope of this interface in this implementation type is to offer DNS services.

As explained also in the article:

'VPN IP Subnets' can also be used instead of the standard scope since there is no DHCP service used in this case, the IPs for the end hosts are provided by FortiGate. This will enable FortiNAC to respond to DNS requests that are coming from this subnet.

This range can be considered just as a list of source IPs that are able to get DNS service. The gateway is required to complete the configuration in FNAC but it doesn't play any role in this case.

 

Remember that the Same IP range is also used in the VPN Addresses configuration as shown in the troubleshooting section: 'e. The tag is not being sent.'

 

The range itself (as planning) is chosen in the SSL-VPN Settings done in FGT, first picture in the section '2. SSL VPN configuration in the FortiGate.'

1 reply

ebilcari
Staff
ebilcariAnswer
Staff
May 9, 2025

Based on the mentioned IP subnets I guess you are referring to this article: Technical Tip: A simple network example of deploying VPN management with FortiGate

 

Yes, the same isolation interface can be used in FNAC and dedicated to all VPN integrations. It is recommended to configure the 'Layer 3 Virtual Private Network'. The main scope of this interface in this implementation type is to offer DNS services.

As explained also in the article:

'VPN IP Subnets' can also be used instead of the standard scope since there is no DHCP service used in this case, the IPs for the end hosts are provided by FortiGate. This will enable FortiNAC to respond to DNS requests that are coming from this subnet.

This range can be considered just as a list of source IPs that are able to get DNS service. The gateway is required to complete the configuration in FNAC but it doesn't play any role in this case.

 

Remember that the Same IP range is also used in the VPN Addresses configuration as shown in the troubleshooting section: 'e. The tag is not being sent.'

 

The range itself (as planning) is chosen in the SSL-VPN Settings done in FGT, first picture in the section '2. SSL VPN configuration in the FortiGate.'

Emirjon
    Hieu
    HieuAuthor
    Explorer
    May 11, 2025

    Thank you so much for these information. It's very helpful for me!

      Terms & ConditionsAccessibility statement