Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VPN IP Addresses

Hey all,


We've used a Fortigate 100D for some time now with its IPSec VPN.  It's just set up for clients to connect and interact with the local network, no joining of ethernet segments or anything.  


I've been trying to figure out a few things regarding IP addresses when using the IPSec VPN but haven't had any luck, perhaps I am misunderstanding something.


When I connect to the office network via VPN from home, my DNS/DHCP server is my home router.  The network I'm connecting to uses a DHCP and DNS on a windows server.  When I connect, what IP address do I have on the remote (office) network and what assigns it?  What would other hosts on the office network see my address as?


The next part of my question is in regard to the OpenVPN functionality redirect-gateway.  When I connect to the office network and check my IP address, it's still showing my home IP.  Which would mean not all traffic is going through the VPN.  In OpenVPN I would set "redirect-gateway def1" but I'm unsure how this works with Fortigate's IPSec VPN.  Is it possible?


Thanks in advance.




and welcome to the forums.

The client IP in a VPN depends on the configuration. You can have

- a static private IP address from your home LAN

- a dynamic (DHCP) address from your home LAN

- a static private IP address from the remote LAN

- a dynamic (DHCP) address from the remote LAN (FGT as DHCP server or DHCP relay to Win server)


If you still see your own private IP address when issuing "ipconfig -all" then the FGT will route reply traffic to this (single) foreign address back through the VPN tunnel. It will create a route for this dynamically (if the IPsec VPN is of type 'dial-in').


For the internet traffic, either the default route (def. gateway) is the FGT or your local router, depending on the config. The latter is preferable as the tunnel is not congested with your internet traffic.

Same for DNS: either you decide to use your LAN's DNS, some other DNS on the internet, or the DNS on the remote LAN, heck, even the remote FGT can act as a DNS (proxy).


You see, a FGT as VPN gateway is very flexible, depending on your needs. Of course, your admin makes the decisions not the dial-in user. One of the most common configs is that the FGT will connect dial-in hosts via DHCP as to avoid address collisions - your home LAN could by chance have the same address space as the remote LAN which would break the connection. Local and remote LANs must have distinct address spaces as the FGT is routing between them.


Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
New Contributor

Check out the last part of ede_pfau's message. That could be the issue. But the probability of that happening is very little. Also, I'm not sure if there's an IP leak.

New Contributor

When you connect to a VPN server, you are assigned with an IP address that is associated with that VPN provider's server. Just like I am using Ivacy VPN and I have configured it with Fortinet's router, so, if anyone check's for my IP address, they'll be shown my VPN IP address. 


Secondly, go for a VPN which provides encryption above 256 bits, so that it becomes impossible for anyone to decipher your online data. 

New Contributor

Thanks for sharing such great info about VPN IP Addresses!


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors