Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcm
New Contributor

Adding additional IP and Gateway under Fortinet SSL VPN

hello,

When I connect to our FortiClient VPN and navigate to the Fortinet SSL VPN Virtual Ethernet Adapter settings, I observe the default configuration upon establishing the connection as below:
Under General tab, IP Address: 10.212.134.201 and Gateway: 255.255.255.255. For the DNS is 8.8.8.8 and 8.8.4.4. This basically enables us to connect to our office environment and all the network resources.

Next, what i have done is made some changes under the Advance tab, i have added another IP: 192.168.0.33 and also a gateway: 192.168.0.1. Having added this did not disturb my internet access or to our local network resources through VPN. In fact, after disconnecting from VPN the settings i have added earlier will disappear and return to it's default settings under the advance tab.

So, my question is having added this extra info under the advance tab will it in anyway be an issue or create some form of security issue? By the way our office environment is in the 192.168.x.x range.

Maybe you could help and provide some details on this. Thanks.


Tally_VPN.png

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

10.212.134.201/32 was assigned by the FGT and sent down to the client with those DNS IPs: 8.8.8.8/8.8.4.4. You can confirm that in the FGT SSL VPN configuration if you're managing it.

Adding an secondary IP 192.168.0.33/24 on the dynamic VPN interface on the client (windows) machine side is fine because it won't remove the primary/assigned IP, but adding GW 192.168.0.1 wouldn't do anything good. Because the GW side of this interface is the FGT only unlike LAN interfaces so it has to be configured on "ssl.root" interface to make it even reachable.
It's a dynamic interface so when the VPN goes down the additional manual configuration would be gone.

 

Why do you want/need to configure those, which wouldn't do anything?

 

Toshi
 

jcm

Hi, i was just trying out to see what works. The reason for doing this because we are using an application that does not work over VPN, the vendor informed us that in order for this app to work over VPN it has to be in the same subnet due to some licensing issue.

So, it was just basically a trial and error thing to see if the app works but having done the changes as above the app works. I will try to remove the GW and see if it still works. Thanks for the update.

Toshi_Esumi
Esteemed Contributor III

It probably won't work in any way you modified. VPN end points wouldn't be a part of a LAN subnet on the FGT.

 

Toshi

jcm

Well the app worked with the additional IP and subnet mask added. Thanks anyways.

hbac

Hi @jcm,

 

You can simply enable NAT on the firewall policy and the application server will see traffic coming from the FortiGates interface IP which is in the same subnet. 

 

Regards, 

pminarik
Staff
Staff

Windows certainly won't block you from adding an arbitrary IP on the virtual VPN interface.
Where you will hit a wall is the FortiGate. It does not know that this IP is currently "owned" by your VPN client (routing table won't point 192.168.x.y to your VPN client), so it will not know where to route reply traffic to, and it will be lost/dropped. (assuming the incoming packet from the client is accepted at all, which I'm not too sure about)

[ corrections always welcome ]
alisoncarl
New Contributor

Adding additional IP and Gateway under Fortinet SSL VPN's Advanced tab for local network access is generally safe. However, verify compatibility with your office network's IP range (192.168.x.x) to avoid conflicts. Regularly review security policies for best practices. Running Fred

Top Kudoed Authors