Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JimFrantz36DC
New Contributor

Share IP range between SSL VPN and LT2P IPSEC VPN

Just wondering if someone can answer this definitively. Can I "share" an address range between an ssl vpn and an ipsec vpn?

 

The current setup is an SSL VPN, Source IP Pool x.y.z.1-254 and using the "Automatically assign addresses" option so that the entire 1-254 range is used for clients connecting.  Rarely more than a few dozen simultaneous clients so the size of the range is irrelevant.

The plan is to:

[ol]
  • Specify a custom IP range for the SSL VPN x.y.z.1-127.
  • Then create IPSEC VPN and client address range of IP x.y.z.128-254.[/ol]

    The reason for this is that extensive internal layer 2 ACLs, manual routes, and server firewall rules all have the x.y.z.0/24 segment already defined. Trying to use a different range for the LT2P IPSEC clients would mean extensive updates to many switch stacks and dozens of server's local FW settings.

     

    The Powers That Be are concerned that "sharing" that range would cause problems with one or the other. 

     

     

  • 1 Solution
    isamt
    Contributor

    Yes you can share range between SSL and IPsec Vpn

    I have this configured in my environment for several Vpn gateway Fortigates.

     

    As long as you don't overlapped the addresses no problem.

    The Fortigate manages the routing back to each client and knows where the client is either IPsec or SSL

    View solution in original post

    2 REPLIES 2
    isamt
    Contributor

    Yes you can share range between SSL and IPsec Vpn

    I have this configured in my environment for several Vpn gateway Fortigates.

     

    As long as you don't overlapped the addresses no problem.

    The Fortigate manages the routing back to each client and knows where the client is either IPsec or SSL

    isamt

    IPsec Setting:

     

    SSL Setting: