I have multiple dial in VPN tunnels for remote users. They were set up with independent IP pools that don't overlap for users to get a local ip when connected. It's approximately some /26 ranges inside some unused /24s. I'm wondering if we've made things more complicated than they need to be. Can the multiple VPNs just share one larger IP pool and be smart enough not to assign an IP already in use by another tunnel?
The multiple tunnels are set up for redundancy and increased bandwidth rather than different access needs. Since we're not 100% in control of which tunnel the remote users end up on, we see that some tunnels will exhaust their IP space while others are sitting relatively unused. If the user dialing in is using a profile that has multiple vpn gateways in it, the forticlient doesn't consistently fall back to the next address after a failure, and there isn't much useful feedback in the UI so the user doesn't know to try a different profile with a different set of gateways.
One suggestion brought up was to expand the IP pools of each tunnel to be larger than the the possible number of remote workers so that even if everyone piled onto one connection, there would be no problem. The IP space already allocated is larger than the number of remote people, it's just not being used efficiently.
So, does anyone know if a fortigate on 6.2.x can be given the same range of IPs on multiple dial in VPNs and be trusted to not assign the same IP to different users on different dial ins?
i double checked the config and it looks like the vpns in question aren't actually using a dhcp, but i guess i could set a DHCP relay to an internal server.
the config of one of the phase1s looks like the below
config vpn ipsec phase1-interface
set type dynamic
set interface "port1"
set local-gw XXXXXXXX
set peertype any
set net-device disable
set mode-cfg enable
set proposal XXXXXXXX
set comments "XXXXXXXX"
set xauthtype auto
set authusrgrp "XXXXXXXX"
set idle-timeout enable
set idle-timeoutinterval XXXXXXXX
set ipv4-start-ip X.X.X.2
set ipv4-end-ip X.X.X.99
set dns-mode auto
The ipv4-start-ip and ipv4-end-ip appear to be what determine the ip range to assign to devices connecting. Each tunnel has different ranges there. I guess my question is what happens if you put the same range of IPs for multiple tunnels. Does the firewall complain about IP overlaps? Does it keep track which ones are already assigned and only hand out free IPs? Does it hand out duplicates to users and then everything breaks?