We've used a Fortigate 100D for some time now with its IPSec VPN. It's just set up for clients to connect and interact with the local network, no joining of ethernet segments or anything.
I've been trying to figure out a few things regarding IP addresses when using the IPSec VPN but haven't had any luck, perhaps I am misunderstanding something.
When I connect to the office network via VPN from home, my DNS/DHCP server is my home router. The network I'm connecting to uses a DHCP and DNS on a windows server. When I connect, what IP address do I have on the remote (office) network and what assigns it? What would other hosts on the office network see my address as?
The next part of my question is in regard to the OpenVPN functionality redirect-gateway. When I connect to the office network and check my IP address, it's still showing my home IP. Which would mean not all traffic is going through the VPN. In OpenVPN I would set "redirect-gateway def1" but I'm unsure how this works with Fortigate's IPSec VPN. Is it possible?
The client IP in a VPN depends on the configuration. You can have
- a static private IP address from your home LAN
- a dynamic (DHCP) address from your home LAN
- a static private IP address from the remote LAN
- a dynamic (DHCP) address from the remote LAN (FGT as DHCP server or DHCP relay to Win server)
If you still see your own private IP address when issuing "ipconfig -all" then the FGT will route reply traffic to this (single) foreign address back through the VPN tunnel. It will create a route for this dynamically (if the IPsec VPN is of type 'dial-in').
For the internet traffic, either the default route (def. gateway) is the FGT or your local router, depending on the config. The latter is preferable as the tunnel is not congested with your internet traffic.
Same for DNS: either you decide to use your LAN's DNS, some other DNS on the internet, or the DNS on the remote LAN, heck, even the remote FGT can act as a DNS (proxy).
You see, a FGT as VPN gateway is very flexible, depending on your needs. Of course, your admin makes the decisions not the dial-in user. One of the most common configs is that the FGT will connect dial-in hosts via DHCP as to avoid address collisions - your home LAN could by chance have the same address space as the remote LAN which would break the connection. Local and remote LANs must have distinct address spaces as the FGT is routing between them.
When you connect to a VPN server, you are assigned with an IP address that is associated with that VPN provider's server. Just like I am using Ivacy VPN and I have configured it with Fortinet's router, so, if anyone check's for my IP address, they'll be shown my VPN IP address.
Secondly, go for a VPN which provides encryption above 256 bits, so that it becomes impossible for anyone to decipher your online data.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.