Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
darantasia
New Contributor II

VPN-SSL : routable ip address on Fortigate 601E

Hello,

 

We currently have 2 VPN tunnels on our 601E : 1 IPSEC with public addresses and one SSL behind a NAT.

We would like to know  :

- if we can make 2 SSL tunnels (because it seems we can't as there is no possibility to create a new one in "VPN-SSL settings" If we can't its' ok, we will delete the old one.

- Can we use use public IPs to create a new VPN SSL (it would be easier for us with the log files if each user had a public IP assigned on connection) and if so, where can we declare this subnet,in the WAN subnet ?

 

Thanks a lot.

 

darant

 

 

1 Solution
gfleming
Staff
Staff

You are strictly talking about client VPN tunnels here? Assuming yes, I will answer the easy question first:

 

1. Yes you can use public IP addresses for your VPN clients, assuming you own the IP address space. Just create the address object containing the IP range you want to assign to users and apply it to your VPN settings.

 

Second question really depends on what exactly you are trying to accomplish. Is there a reason you want two distinct client tunnels? Most admins will have the VPN service listening on one or more interfaces. If you need to create different scopes or access rules based on user types connecting to your VPN you can leverage Realms for this or assign different portals based on the authentication parameters (i.e. users in groupX get portal vpnX and users in groupY get portal vpnY).

 

More info here: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/724772/ssl-vpn-multi-realm

Cheers,
Graham

View solution in original post

4 REPLIES 4
gfleming
Staff
Staff

You are strictly talking about client VPN tunnels here? Assuming yes, I will answer the easy question first:

 

1. Yes you can use public IP addresses for your VPN clients, assuming you own the IP address space. Just create the address object containing the IP range you want to assign to users and apply it to your VPN settings.

 

Second question really depends on what exactly you are trying to accomplish. Is there a reason you want two distinct client tunnels? Most admins will have the VPN service listening on one or more interfaces. If you need to create different scopes or access rules based on user types connecting to your VPN you can leverage Realms for this or assign different portals based on the authentication parameters (i.e. users in groupX get portal vpnX and users in groupY get portal vpnY).

 

More info here: https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/724772/ssl-vpn-multi-realm

Cheers,
Graham
darantasia
New Contributor II

 I just didn't want to handle a service interruption, that's why i talked about 2 tunnels. But i will warn our users and replace the NAT tunnel with one in a public address range as you said : create an address object and add a static route.

 

Thanks again!

gfleming

If you want to avoid a service outage you could use realms. Create a new realm for the updated configuration using public IP addresses. Test it, make sure it works. Then swap its configuration to what is now your default/original configuration realm.

Cheers,
Graham
darantasia
New Contributor II

Thanks a lot i'll try this

Labels
Top Kudoed Authors