Technical Tip: Source IP Pool Behavior in the SSL VPN Portal

msanjaypadma · ‎01-28-2025

Description

This article describes about Source IP Pool Behavior in the SSL VPN Portal.

Scope

FortiGate.

Solution

In the process of configuring the SSL VPN portal, a source IP pool is stipulated under the Tunnel model settings. When a source IP pool is defined, a corresponding route is automatically added to the kernel, directing traffic to ssl.root, as shown in the following example:

Example 1: Default configuration SSLVPN portal with source IP Pool is configured with SSLVPN_TUNNEL_ADDR1,which ranges from [10.212.134.200 - 10.212.134.210].

photon-kvm38 # get router info kernel | grep ssl
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)

Example 2: A subnet of 1.1.1.1/32 has been added to the Source IP Pool for testing purposes.

photon-kvm38 # get router info kernel | grep ssl
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->1.1.1.1/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root) <<<<<route push to kernel
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)

Technical Tip: Source IP Pool Behavior in the SSL VPN Portal

Description

Scope

Solution

You are leaving our website