Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bernard
New Contributor

2 VPNs on 100D

We have a first VPN that is working perfectly.  I need to create a second VPN on our 100D for another group of users requesting access to a different subnet.  My understanding tells me this second VPN should be listening to a different IP or port than our first VPN.  If I am right, then how can I create a second VPN listening to either a secondary IP on wan1 or another port?

 

For the port, I think I would have to change the port on the IP Pools linked to the VPN but on the 100D is seems impossible to have a second IP Pool.  And I can't find how to configure a VPN to a second IP of wan1.  We do not use VDOMs in case this could change something.

 

Thanks,

Bernard

 

5 REPLIES 5
ashukla_FTNT
Staff
Staff

I assume that you are talking about vpn from end users using Forticlient.

There are two ways to achieve it:

 

a) In the current vpn phase 1 set the option accept this peer id (enter something like group1)

b) Create second vpn and similarly set the phase1 option accept this peer id ( like group2)

 

Now in Forticlient for user in group 1 set the local id as (group 1) and similary for group 2 user set it as (group2)

You will have to use our vpn editor tool (avialbel in our support download site under forticlient tools)

 

This way the Fortigate can distinguish between vpn client connections based on the id sent by them and you can accrodingly set the access/pools. 

 

Second method:

If you really want to use a second ip (or if you can't change the local id in clients) then you have to enter one of the available ip in phase1 under Local Gateway IP (selcet the specify radio button) and enter the public ip which you want to use for second vpn)

 

Hope this helps.

bernard
New Contributor

To ashukla_FTNT, 

This would be for IPsec VPN.  What about SSL VPN?  I would prefer to use SSL VPN.  Is it possible to fulfill the requirements with SSL VPN?

 

Thanks,

 

rickards
New Contributor

Do you mean sslvpn clients that should be in different groups accessing different subnets ?

Yes that is possible , you can use a portal for each group and different firewall policys depending on the requirements.

bernard
New Contributor

To rickards, 

 

I thought so but it does not work.

 

rickards
New Contributor

Hello

 

Maybe i am misunderstanding you request here.

 

This setup is what i have in mind:

 

Two address objects for SSLVPN clients virtual IP

SSLClient_Pool1: 10.10.10.0/24

SSLClient_Pool2: 10.20.20.0/24

 

Two portals, one for each group:

SSLPortal1 in this group i map SSLClient_Pool1 to IP Pools

SSLPortal2 in this group i map SSLClient_Pool2 to IP Pools

 

I create two groups called

SSLClient_Group1

SSLClient_Group2

 

I add a testuser to each group.

 

Then i would create an firewall policy for sslvpn.

 

Source interface wan1 (or your external interface name)

Destination interface internal (or your internal interface name)

 

If you have a newer version of FortiOS then you should select VPN / SSL as a firewall policy.

 

So if you have different interfaces on the inside that each group should be able to access you need two firewall policys.

 

Under authentication rules you can add each group and map them to the corresponding portal.

 

Also, if you are using tunnel mode then you need to add routes with the ssltunnel as interface and then the SSL VPN clients

virtual IP subnets.

 

You also need firewall policys that has ssltunnel interface as source and internal interface as destination.

 

 

 

 

Top Kudoed Authors