Description
This article explains how to define a secondary IP address for the interface and use that address as the local VPN gateway address.
The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet.
The benefit of the option stated here above is that the existing setup is not affected by the VPN settings.
Scope
IPsec, VPN, Phase1, FortiOS, Site-to-Site VPN, tunnel, secondary IP, peer.
Solution
To add the IP address:
- Edit the external Interface and set secondary IP by navigating to System -> Network -> Interface.
2. Enable the option to configure the Secondary IP address under the interface and create a new IP address.
-
Modify phase1 settings from CLI and set the local-gw parameter to use a secondary IP for the VPN tunnel:
config vpn ipsec phase1
edit MyVPNTunnel
set interface wan1
set local-gw 10.200.10.2
edit MyVPNTunnel
set interface wan1
set local-gw 10.200.10.2
end
To make the change through the GUI, edit the tunnel and enable the option 'Local Gateway'. This allows to select a secondary IP address as a gateway.
If using a route-based tunnel Modify phase1 settings from CLI and set the local-gw parameter in order to use secondary IP for the VPN tunnel.
config vpn ipsec phase1-interface
edit MyVPNTunnel
set interface wan1
set local-gw 10.200.10.2
edit MyVPNTunnel
set interface wan1
set local-gw 10.200.10.2
end
-
While configuring VPN settings on remote peers use the secondary IP address instead of the primary address.
-
Once the change is made the IPSec tunnel will be established using the secondary IP address defined under the local gateway, the same can be verified by running below sniffer command below.
di sniffer packet any 'host x.x.x.x and port (500 or 4500)' 4 0 l
x.x.x.x is the remote peer IP address
As of v6.4.9 -- ID 728468: 'Local-gw' IP address must be assigned to the interface to work properly, either as a primary or secondary address.
Related document:
