I have multiple dial in VPN tunnels for remote users. They were set up with independent IP pools that don't overlap for users to get a local ip when connected. It's approximately some /26 ranges inside some unused /24s. I'm wondering if we've made things more complicated than they need to be. Can the multiple VPNs just share one larger IP pool and be smart enough not to assign an IP already in use by another tunnel?
The multiple tunnels are set up for redundancy and increased bandwidth rather than different access needs. Since we're not 100% in control of which tunnel the remote users end up on, we see that some tunnels will exhaust their IP space while others are sitting relatively unused. If the user dialing in is using a profile that has multiple vpn gateways in it, the forticlient doesn't consistently fall back to the next address after a failure, and there isn't much useful feedback in the UI so the user doesn't know to try a different profile with a different set of gateways.
One suggestion brought up was to expand the IP pools of each tunnel to be larger than the the possible number of remote workers so that even if everyone piled onto one connection, there would be no problem. The IP space already allocated is larger than the number of remote people, it's just not being used efficiently.
So, does anyone know if a fortigate on 6.2.x can be given the same range of IPs on multiple dial in VPNs and be trusted to not assign the same IP to different users on different dial ins?