Share IP range between SSL VPN and LT2P IPSEC VPN

JimFrantz36DC · ‎02-28-2020

Just wondering if someone can answer this definitively. Can I "share" an address range between an ssl vpn and an ipsec vpn?

The current setup is an SSL VPN, Source IP Pool x.y.z.1-254 and using the "Automatically assign addresses" option so that the entire 1-254 range is used for clients connecting. Rarely more than a few dozen simultaneous clients so the size of the range is irrelevant.

The plan is to:

[ol]

Specify a custom IP range for the SSL VPN x.y.z.1-127.

Then create IPSEC VPN and client address range of IP x.y.z.128-254.[/ol]

The reason for this is that extensive internal layer 2 ACLs, manual routes, and server firewall rules all have the x.y.z.0/24 segment already defined. Trying to use a different range for the LT2P IPSEC clients would mean extensive updates to many switch stacks and dozens of server's local FW settings.

The Powers That Be are concerned that "sharing" that range would cause problems with one or the other.

isamt · ‎03-01-2020

Yes you can share range between SSL and IPsec Vpn

I have this configured in my environment for several Vpn gateway Fortigates.

As long as you don't overlapped the addresses no problem.

The Fortigate manages the routing back to each client and knows where the client is either IPsec or SSL

View solution in original post

isamt · ‎03-01-2020

Yes you can share range between SSL and IPsec Vpn

I have this configured in my environment for several Vpn gateway Fortigates.

As long as you don't overlapped the addresses no problem.

The Fortigate manages the routing back to each client and knows where the client is either IPsec or SSL

isamt · ‎03-01-2020

IPsec Setting:

SSL Setting:

Share IP range between SSL VPN and LT2P IPSEC VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website