Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shiftyoliver
New Contributor

Help undersanding VPN

Hello I'm trying to learn the concept of VPN's and there's some aspect of VPN's I'm not sure about. When I configure a remote access VPN, I configure the following client range 192.168.3.10-192.168.3.40

 

When the client connects and I do a route print the VPN interface on its end is assigned an IP of 192.168.3.10 as expected but the gateway is showing 192.168.3.11. What is getting this 192.168.3.11 address? I don't have any IP manually assigned to the tunnel interface on the firewall's end and I understand that you don't need an IP address anyways for the tunnel to work since it's  a point to point connection.

The VPN tunnel interface is called GT when I check the status connection there is a IPsec Tunnel called GT_0. What is the difference between the VPN Tunnel Interface and the IPsec tunnel. I assume it's the IPsec Tunnel that is assigned the address of 192.168.3.11. The weird thing is I can't ping this address, what is this address used for?

2 REPLIES 2
Anonymous
Not applicable

Hello @shiftyoliver,

 

                            Thanks for reaching Fortinet Community. When ever you create a remote access VPN such as dial up IPsec VPN or SSL-VPN, the client uses the N+1th IP as the Gateway IP on the client end (Considering N as the tunnel IP of the client). It is just by design, you can verify this, When you connect a second client to the tunnel then the client should show tunnel IP as 192.168.3.11 and the gateway would be the next possible IP 192.168.3.12. 

Coming to the second question GT is the general Tunnel name that is given, as the IP sec is dailup so as the clients connect a virtual interface is created with suffix(index) of possible number of client like GT_0, GT_1, GT_2 etc.

 

Hope this helps.

 

Thanks and regards,

sw2090
Honored Contributor

Caveat: there is one bug in FortiOS: on dial up vpns FOS does not subtract the digits used for the suffix from the maximum name length of your tunnel. Since FOS supports 1000 concurrent connections the suffix takes up to 5 digits (_xxxx). Due to that you have to make sure that you chose a tunnel name that leaves enough space for the suffix in order not to run into issues.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams