Description
This article describes how to set up the configuration for assigning different IP address ranges when establishing an SSL VPN connection on multiple ISPs for SSL VPN clients.
Scope
FortiGate with SSL VPN.
Solution
When establishing a connection with two different ISPs, the IP address will be assigned from the address range of the first ISP, as expected. In the (CLI), the configuration would appear as follows:
config vpn ssl settings
config authentication-rule
edit 1
set users "test1"
set portal "full-access"
next
edit 2
set users "test2"
set portal "tunnel-access"
next
To set up different IP ranges for each ISP, utilize the following CLI configuration. There is the option to configure a source address instead of 'all'.
config vpn ssl settings
config authentication-rule
edit 1
set source-interface "port1"
set source-address "all"
set source-address-negate disable
set source-address6-negate disable
set users "test1"
set portal "full-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
edit 2
set source-interface "port2"
set source-address "all"
set source-address-negate disable
set source-address6-negate disable
set users "test2"
set portal "tunnel-access"
set realm ''
set client-cert disable
set cipher high
set auth any
next
end
The user test1, when connecting to the 'full-access' portal, will receive the IP address indicated in that portal. Similarly, when the user test2 connects to the 'tunnel-access' portal, they will be assigned the specified IP address from that portal.
