Hello,
We currently have 2 VPN tunnels on our 601E : 1 IPSEC with public addresses and one SSL behind a NAT.
We would like to know :
- if we can make 2 SSL tunnels (because it seems we can't as there is no possibility to create a new one in "VPN-SSL settings" If we can't its' ok, we will delete the old one.
- Can we use use public IPs to create a new VPN SSL (it would be easier for us with the log files if each user had a public IP assigned on connection) and if so, where can we declare this subnet,in the WAN subnet ?
Thanks a lot.
darant
Solved! Go to Solution.
You are strictly talking about client VPN tunnels here? Assuming yes, I will answer the easy question first:
1. Yes you can use public IP addresses for your VPN clients, assuming you own the IP address space. Just create the address object containing the IP range you want to assign to users and apply it to your VPN settings.
Second question really depends on what exactly you are trying to accomplish. Is there a reason you want two distinct client tunnels? Most admins will have the VPN service listening on one or more interfaces. If you need to create different scopes or access rules based on user types connecting to your VPN you can leverage Realms for this or assign different portals based on the authentication parameters (i.e. users in groupX get portal vpnX and users in groupY get portal vpnY).
More info here: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/724772/ssl-vpn-multi-realm
You are strictly talking about client VPN tunnels here? Assuming yes, I will answer the easy question first:
1. Yes you can use public IP addresses for your VPN clients, assuming you own the IP address space. Just create the address object containing the IP range you want to assign to users and apply it to your VPN settings.
Second question really depends on what exactly you are trying to accomplish. Is there a reason you want two distinct client tunnels? Most admins will have the VPN service listening on one or more interfaces. If you need to create different scopes or access rules based on user types connecting to your VPN you can leverage Realms for this or assign different portals based on the authentication parameters (i.e. users in groupX get portal vpnX and users in groupY get portal vpnY).
More info here: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/724772/ssl-vpn-multi-realm
I just didn't want to handle a service interruption, that's why i talked about 2 tunnels. But i will warn our users and replace the NAT tunnel with one in a public address range as you said : create an address object and add a static route.
Thanks again!
If you want to avoid a service outage you could use realms. Create a new realm for the updated configuration using public IP addresses. Test it, make sure it works. Then swap its configuration to what is now your default/original configuration realm.
Thanks a lot i'll try this
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.