I have multiple dial in VPN tunnels for remote users. They were set up with independent IP pools that don't overlap for users to get a local ip when connected. It's approximately some /26 ranges inside some unused /24s. I'm wondering if we've made things more complicated than they need to be. Can the multiple VPNs just share one larger IP pool and be smart enough not to assign an IP already in use by another tunnel?
The multiple tunnels are set up for redundancy and increased bandwidth rather than different access needs. Since we're not 100% in control of which tunnel the remote users end up on, we see that some tunnels will exhaust their IP space while others are sitting relatively unused. If the user dialing in is using a profile that has multiple vpn gateways in it, the forticlient doesn't consistently fall back to the next address after a failure, and there isn't much useful feedback in the UI so the user doesn't know to try a different profile with a different set of gateways.
One suggestion brought up was to expand the IP pools of each tunnel to be larger than the the possible number of remote workers so that even if everyone piled onto one connection, there would be no problem. The IP space already allocated is larger than the number of remote people, it's just not being used efficiently.
So, does anyone know if a fortigate on 6.2.x can be given the same range of IPs on multiple dial in VPNs and be trusted to not assign the same IP to different users on different dial ins?
CISSP, NSE4
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't think it's possible because...
DHCP server can be configured per "interface". Those two VPNs are separate interfaces. DHCP server config doesn't allow "any" for the interface setting or multiple interfaces.
Then I thought it might be possible if we could put VPNs into a soft-switch. But when I tried to test it, I couldn't see VPN interfaces as member options of a soft-switch, and instead showed below:
FortiGate-40F (test-switch) # set member ?
*interface-name Physical interface name
i double checked the config and it looks like the vpns in question aren't actually using a dhcp, but i guess i could set a DHCP relay to an internal server.
the config of one of the phase1s looks like the below
config vpn ipsec phase1-interface edit "XXXXXXXX" set type dynamic set interface "port1" set local-gw XXXXXXXX set peertype any set net-device disable set mode-cfg enable set proposal XXXXXXXX set comments "XXXXXXXX" set xauthtype auto set authusrgrp "XXXXXXXX" set idle-timeout enable set idle-timeoutinterval XXXXXXXX set ipv4-start-ip X.X.X.2 set ipv4-end-ip X.X.X.99 set dns-mode auto
The ipv4-start-ip and ipv4-end-ip appear to be what determine the ip range to assign to devices connecting. Each tunnel has different ranges there. I guess my question is what happens if you put the same range of IPs for multiple tunnels. Does the firewall complain about IP overlaps? Does it keep track which ones are already assigned and only hand out free IPs? Does it hand out duplicates to users and then everything breaks?
CISSP, NSE4
First of all, doesn't it actually accept overlapped config? I would expect it errors out when you try.
I have multiple remote/client VPN tunnels with the same Client Address Range, so it gives no error when setting up.
But I seems this can be an issue, as multiple VPN clients then have the same client IP.
FortiGate seems to only track IP used for the same VPN tunnel.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.