Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luckysantiago
New Contributor

Use of secondary wan ip on ipsec vpn

Scenario:

wan ip: 1.1.1.1 (assuming 1.1.1.1 is public IP)

i have 1.1.1.2 as another public ip (same subnet of wan) that is whitelisted on the remote gateway of my client ipsec vpn.

how can i use 1.1.1.2 as outgoing ip address going to ipsec tunnel instead of wan ip 1.1.1.1 since on ipsec vpn config you can only select wan interface

 

so far i have tried both no good:

- set 1.1.1.2 as secondary ip of wan interface - create ip pool of 1.1.1.2 and use it on policy ipsec > lan, lan > ipsec

4 REPLIES 4
navaraj
New Contributor

Can any one help me out regarding how to make SSL VPN users to fail over with Back up (WAN 2)Link???

 

Currently traffic is going via wan if wan1 fails internet trafiic gets switch over to Wan2.

 

I Am having a problem of how to make SSL VPN users to connect on WAN 2 Ip..Even i added both public ips on VPN client system and checked .I can able to connect only with Wan 1 Ip

rdumitrescu
New Contributor III

@luckysantiago, I assume that you are using route based Ipsec VPN.

In this case if you need to use a secondary IP to establish a VPN connection you have to set the secondary IP as local gateway under phase 1 parameters:

config vpn ipsec phase1-interface

edit xx

set local-gw 1.1.1.2

end

 

@navaraj, you need to add the interface wan2 under VPN SSL Settings

 

 

luckysantiago

That worked.  Thanks!

Gallusser

And this could not be done through DNS administration? For example add two records in the DNS each pointing to the public IPs of each interface: VPN.MYCOMPANY.COM - 1.1.1.1 VPN.MYCOMPANY.COM - 1.1.1.2 This will create a redundancy (round robin) in the DNS. In the configuration of the fortigate: VPN-> IPsec Tunnel in the configuration the Remote Gateway uses Dynamic DNS, and in the Dynamic DNS box we use the name that was registered in DNS, "VPN.MYCOMPANY.COM". With this the fortigate is referring to a name and not the IP address and the DNS would be responsible for making the redundancy. You think this would work? Excuse my English but I must use translators. regards

Labels
Top Kudoed Authors