Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor II

Created on ‎10-24-2024 02:53 AM

migrate my SSL full tunnel VPN from using an Address IP List

Good day, I am trying to migrate my SSL full tunnel VPN from using an Address IP List (10.0.3.0/21) to issue IPs to VPN users to using an external Microsoft DHCP server, I need to do this as the FortiGate can’t add DNS records for VPN users as it does not support this.

 

I have set up a new scope on the Microsoft DHCP server 10.0.16.0/21 as shown in the screenshot, my local subnet is 10.0.0.0/21, I can’t use the existing Subnet as it conflicts with the DHCP server.

 

The issue I am facing is that when I connect to the SSL VPN once I have migrated, I am unable to access any devices on the 10.0.0.0/21 subnet, I updated the Firewall policies to the new Subnet and updated the VPN settings following the Fortigate guide here https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-external-DHCP-Server/ta-p/215....

 

I noticed that when connected to the SSL VPN the client gets two IP’s for example in the screenshot on my test device I got 10.0.16.5 as my IP and 10.0.16.6 as the Gateway which I don’t understand if the SSL VPN assigns 10.0.16.6 as my gateway what should I set the gateway to in the Microsoft DHCP server?

 

Also, as I am using a Subnet outside of the local Subnet, I am not sure if I need to add any routing. I have tried to add a Static route for the SSL.root interface but not sure what the Destination or Gateway IPs would be because of the Gateway 10.0.16.6 issued to the client above.

 

DHCP Network Diagram.png

Labels:
89
0 Kudos
2 REPLIES 2
rowanlo2
Visitor

Created on ‎10-24-2024 03:20 AM

You create a Virtual IP that NATs TCP 443 (or your preferred port) to the loopback interface. Create a firewall policy from WAN to the loopback interface, and set your preferred rules on it. Then you switch the interface in the SSL-VPN Settings, and it should work.

77
julianhaines
New Contributor II
In response to rowanlo2

Created on ‎10-24-2024 04:55 AM

Hi, thanks for the information, so something like below? what ip would I use for the virtual IP "Mapped From"? does it need to be an ip from the internal subnet 10.0.0.0/21?

 

Virtual IP
Name: VPN Virtual IP
Interface: VPN DHCP LOOP
Mapped From: 10.0.16.1:443 ?? internal IP?
Mapped To: 10.0.16.2:443 (VPN DHCP LOOP IP)

 

Firewall Policy
Incoming: ssl.root
Outgoing: VPN DHCP LOOP
Destination: all
Service: all
NAT: Enable

46
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.