Hello everybody, I hope you can help me with this, since I am beggining with fortinet
I already have configured a SSL VPN, with LDAP through my wan1 interface, and everything is working properly. but now I want to use another public IP to set the vpn connection, my ISP give me a couple of public IPs that I can use, but I do not know how to handle this. I know I can assign a secundary IP in interface wan1, but I read this is not secure.
I have a Fortigate 60D in switch mode.
any suggestions?
best regards!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
if there is only one ISP Connection with more than one IP. You can only add a second ip to your wan and then use that as remote gw for your vpn.
Even if there is a route behind that has a switch that won't work any other way due to the routing ;)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
eh, back to the question, yes, you would create a secondary address on the WAN interface and refer to it for IPsec VPN. FortiOS does not support multiple SSLVPN web portals, that's why I assume you would want to add an IPsec VPN.
In order to make it work, specify the secondary address in the CLI, "config vpn ipsec phase1-interface".
IMHO there is nothing more insecure about a secondary address than a primary one. Hearsay is not a good advisor.
Thank you ede_pfau
so definetly as I see, I have to use the secundary address option, am I right?
I've tested the sec address option, and it works, the only thing is that users can connect the VPN over those 2 IPS I mean, the wan interface, and the secundary
in this case , should I create then an IPsec VPN, instead of SSL? would you recommend that?
thaks all for your support!
"FortiOS does not support multiple SSLVPN web portals,"
You can create multiple portals by realms with unique authentication, but we would need to know what's the goal of the requester.
IMHO no need to waste a ip address for vpn portal or ipsec. You can provided separation by realms ( sslvpn ) and by hosted peerid/groups for ipsec.
Ken Felix
PCNSE
NSE
StrongSwan
Thank you emnoc,
so you dont see any security issue for using the main IP for the SSL VPN pourpose?
regards
No, why ? and what is your concern? The firewall still has rules ( policu, auth,etc....) so regardless if it the same address used for various vpn, the security risk is mute...it's the same firewall.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.