Most mobile networks do not assign a unique public IP to each device. Instead, they put millions of devices behind shared NAT pools.
This means the public IP can change:
- When the radio tower switches.
- When moving between cells.
- During idle/active transitions.
- During NAT table rotations on the carrier side.
These changes can happen every few minutes, sometimes even within seconds.
SSL VPN.
If mobile device's IP-address change results in SSL VPN connection failure, use the following command on FortiGate:
config vpn ssl settings
set auth-session-check-source-ip disable
It is critical to understand the security implications (i.e. session hijacking) of disabling this feature, hence, make sure to exercise caution when introducing this fix.
Note:
Starting from FortiGate v7.6.4, the SSL VPN tunnel mode will no longer be supported.
IPsec.
It is worth mentioning that there's no such configuration for IPsec. Although, other methods are available for addressing frequent IP-address changes when on mobile networks.
The two features that can improve user experience are session resumption - available with IKEv2 and configured on FortiGate (Refer to this article: Troubleshooting Tip: Bulletproofing SSL and IPsec Dial-Up VPN Connections) - and Always-Up setup via Remote Access endpoint profile on FortiClientEMS.
Related document:
Save password, auto connect, and always up | FortiClient 7.4.5 | Fortinet Document Library
|
