Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor II

IPSEC vpn with local gateway option

Dear friends,

 

Regarding the KBs below:

I understand that to use an IP address not other than the primary IP address configured on the exit interface of the tunnel, the IP address should be configured as a secondary IP address on that interface.

 

Technical Tip: How to configure IPsec VPN settings... - Fortinet Community

https://docs.fortinet.com/document/fortigate/6.4.9/fortios-release-notes/230510/changes-in-default-b....

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fix-issues-with-IPsec-tunnels-configured-w...

 

Why the option "specify" is still existing as an option to configure the local gateway IP address of the IPSEC tunnel.

 

I tested the "specify" option and the tunnel did not come up until I configured my IP as a secondary IP.

 

So what cases I should use the specify option? shall it be an IP address that is configured on another interface?

 

1 Solution
v_ceban
Staff
Staff

There is no difference in CLI.
Both options are doing the same thing, will configure the local gw IP. The GUI is just giving you the option to enter your IP manually or select it from the secondary IP list.

Vladislav Ceban

View solution in original post

2 REPLIES 2
v_ceban
Staff
Staff

There is no difference in CLI.
Both options are doing the same thing, will configure the local gw IP. The GUI is just giving you the option to enter your IP manually or select it from the secondary IP list.

Vladislav Ceban
ede_pfau
Esteemed Contributor III

Say, you have configured 2 public addresses on your WAN port, one regular and one as a secondary address. By specifying the secondary as "local gateway" in one of your ipsec phase1 setups, you make the ipsec process listen to that address (and eventually process the tunnel creation).

Without "local gateway", you specify "wan" as the external port in your phase1, but FortiOS will only serve IKE requests on the "wan" address - not any secondary. So this goes hand in hand if using multiple addresses on a port.

 

Of course, you can terminate multiple VPNs on the "wan" port on multiple public addresses this way, if you need to. 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors