Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
0skarprez
New Contributor

VPN connection with different public IP

Hello everybody, I hope you can help me with this, since I am beggining with fortinet

 

I already have configured a SSL VPN, with LDAP through my wan1 interface, and everything is working properly. but now I want to use another public IP to set the vpn connection, my ISP give me a couple of public IPs that I can use, but I do not know how to handle this.  I know I can assign a secundary IP in interface wan1, but I read this is not secure.

 

I have a Fortigate 60D in switch mode.

 

any suggestions?

best regards!

 

6 REPLIES 6
sw2090
SuperUser
SuperUser

if there is only one ISP Connection with more than one IP. You can only add a second ip to your wan and then use that as remote gw for your vpn.

Even if there is a route behind that has a switch that won't work any other way due to the routing ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ede_pfau

eh, back to the question, yes, you would create a secondary address on the WAN interface and refer to it for IPsec VPN. FortiOS does not support multiple SSLVPN web portals, that's why I assume you would want to add an IPsec VPN.

 

In order to make it work, specify the secondary address in the CLI, "config vpn ipsec phase1-interface".

 

IMHO there is nothing more insecure about a secondary address than a primary one. Hearsay is not a good advisor.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
0skarprez

Thank you ede_pfau

 

so definetly as I see, I have to use the secundary address option, am I right?

 

I've tested the sec address option, and it works, the only thing is that users can connect the VPN over those 2 IPS I mean, the wan interface, and the secundary

 

in this case , should I create then an IPsec VPN, instead of SSL? would you recommend that?

 

thaks all for your support!

emnoc
Esteemed Contributor III

"FortiOS does not support multiple SSLVPN web portals,"

 

You can create multiple portals by realms with unique authentication, but we would need to know what's the goal of the requester.

 

IMHO no need to waste a ip address for vpn portal or ipsec. You can provided  separation by realms ( sslvpn ) and by hosted peerid/groups for ipsec.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
0skarprez

Thank you emnoc,

 

so you dont see any security issue for using the main IP for the SSL VPN pourpose?

 

regards

emnoc
Esteemed Contributor III

No, why ? and what is your concern? The firewall still has rules ( policu, auth,etc....) so regardless if it the same address used for various vpn, the security risk is mute...it's the same firewall.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors