We have a first VPN that is working perfectly. I need to create a second VPN on our 100D for another group of users requesting access to a different subnet. My understanding tells me this second VPN should be listening to a different IP or port than our first VPN. If I am right, then how can I create a second VPN listening to either a secondary IP on wan1 or another port?
For the port, I think I would have to change the port on the IP Pools linked to the VPN but on the 100D is seems impossible to have a second IP Pool. And I can't find how to configure a VPN to a second IP of wan1. We do not use VDOMs in case this could change something.
Thanks,
Bernard
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I assume that you are talking about vpn from end users using Forticlient.
There are two ways to achieve it:
a) In the current vpn phase 1 set the option accept this peer id (enter something like group1)
b) Create second vpn and similarly set the phase1 option accept this peer id ( like group2)
Now in Forticlient for user in group 1 set the local id as (group 1) and similary for group 2 user set it as (group2)
You will have to use our vpn editor tool (avialbel in our support download site under forticlient tools)
This way the Fortigate can distinguish between vpn client connections based on the id sent by them and you can accrodingly set the access/pools.
Second method:
If you really want to use a second ip (or if you can't change the local id in clients) then you have to enter one of the available ip in phase1 under Local Gateway IP (selcet the specify radio button) and enter the public ip which you want to use for second vpn)
Hope this helps.
To ashukla_FTNT,
This would be for IPsec VPN. What about SSL VPN? I would prefer to use SSL VPN. Is it possible to fulfill the requirements with SSL VPN?
Thanks,
Do you mean sslvpn clients that should be in different groups accessing different subnets ?
Yes that is possible , you can use a portal for each group and different firewall policys depending on the requirements.
I thought so but it does not work.
Hello
Maybe i am misunderstanding you request here.
This setup is what i have in mind:
Two address objects for SSLVPN clients virtual IP
SSLClient_Pool1: 10.10.10.0/24
SSLClient_Pool2: 10.20.20.0/24
Two portals, one for each group:
SSLPortal1 in this group i map SSLClient_Pool1 to IP Pools
SSLPortal2 in this group i map SSLClient_Pool2 to IP Pools
I create two groups called
SSLClient_Group1
SSLClient_Group2
I add a testuser to each group.
Then i would create an firewall policy for sslvpn.
Source interface wan1 (or your external interface name)
Destination interface internal (or your internal interface name)
If you have a newer version of FortiOS then you should select VPN / SSL as a firewall policy.
So if you have different interfaces on the inside that each group should be able to access you need two firewall policys.
Under authentication rules you can add each group and map them to the corresponding portal.
Also, if you are using tunnel mode then you need to add routes with the ssltunnel as interface and then the SSL VPN clients
virtual IP subnets.
You also need firewall policys that has ssltunnel interface as source and internal interface as destination.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.