Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Remote User VPN over a Virtual IP

Wondering if it possible to setup a remote user and/or site-to-site VPN on a virtual IP residing on my WAN. When I create a VIP on my wan it wants a mapped ip address/range and does not give me the option to create a range. Wondering if there is a documented example of this already that I am missing or if anyone has any guidance.




Hmmm, don't know if I understand you correctly.

A VIP would exchange the destination address of incoming traffic to that of an (internal) host. Whereas VPN traffic is directed to the FGT itself.

So, yes, you can set up a VIP to direct VPN traffic (with NAT-T only: udp/500 and udp/4500) to some internal VPN gateway - but not to the border FGT itself. For example, if you install a second FGT as VPN gateway on your DMZ port, that would work.


But it eludes me why you would want to do so...

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

Basically I want to setup a VPN for my users to use but to have that be a different global IP for example my public ip is XX.XX.52.170 and I want to VPN address to be XX.XX.52.172 another IP in my range, so then I can setup a domain vpn.(businessname).com to use as our vpn versus having users have to use our main IP address. So I was hoping I could set something like that up using a vip but I was not sure how to setup a vpn on a virtual wan IP

Valued Contributor III

In the newer versions of FortiOS, you can select the main gateway IP for a VPN termination point or use another IP in that subnet. When you are creating the interface based VPN, check out all the options.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:

Bob - self proclaimed posting junkie!See my Fortigate related scripts at:

Instead of using a VIP you can configure a secondary IP on the WAN interface. You then specify it in the "local GW addr" in phase1 (CLI). This does work.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors