VPN connection with different public IP

Author
0skarprez
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/27 09:26:07
  • Status: offline
2020/05/19 12:36:18 (permalink)
0

VPN connection with different public IP

Hello everybody, I hope you can help me with this, since I am beggining with fortinet
 
I already have configured a SSL VPN, with LDAP through my wan1 interface, and everything is working properly. but now I want to use another public IP to set the vpn connection, my ISP give me a couple of public IPs that I can use, but I do not know how to handle this.  I know I can assign a secundary IP in interface wan1, but I read this is not secure.
 
I have a Fortigate 60D in switch mode.
 
any suggestions?
best regards!
 
#1

6 Replies Related Threads

    sw2090
    Platinum Member
    • Total Posts : 594
    • Scores: 39
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VPN connection with different public IP 2020/05/20 02:19:59 (permalink)
    0
    if there is only one ISP Connection with more than one IP. You can only add a second ip to your wan and then use that as remote gw for your vpn.
    Even if there is a route behind that has a switch that won't work any other way due to the routing ;)
    #2
    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: VPN connection with different public IP 2020/05/20 06:42:35 (permalink)
    0
    eh, back to the question, yes, you would create a secondary address on the WAN interface and refer to it for IPsec VPN. FortiOS does not support multiple SSLVPN web portals, that's why I assume you would want to add an IPsec VPN.
     
    In order to make it work, specify the secondary address in the CLI, "config vpn ipsec phase1-interface".
     
    IMHO there is nothing more insecure about a secondary address than a primary one. Hearsay is not a good advisor.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    0skarprez
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/27 09:26:07
    • Status: offline
    Re: VPN connection with different public IP 2020/05/20 08:52:41 (permalink)
    0
    Thank you ede_pfau
     
    so definetly as I see, I have to use the secundary address option, am I right?
     
    I've tested the sec address option, and it works, the only thing is that users can connect the VPN over those 2 IPS I mean, the wan interface, and the secundary
     
    in this case , should I create then an IPsec VPN, instead of SSL? would you recommend that?
     
    thaks all for your support!
    #4
    emnoc
    Expert Member
    • Total Posts : 5622
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: VPN connection with different public IP 2020/05/20 09:53:46 (permalink)
    0
    "FortiOS does not support multiple SSLVPN web portals,"
     
    You can create multiple portals by realms with unique authentication, but we would need to know what's the goal of the requester.
     
    IMHO no need to waste a ip address for vpn portal or ipsec. You can provided  separation by realms ( sslvpn ) and by hosted peerid/groups for ipsec.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #5
    0skarprez
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/27 09:26:07
    • Status: offline
    Re: VPN connection with different public IP 2020/05/20 10:49:37 (permalink)
    0
    Thank you emnoc,
     
    so you dont see any security issue for using the main IP for the SSL VPN pourpose?
     
    regards
    #6
    emnoc
    Expert Member
    • Total Posts : 5622
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: VPN connection with different public IP 2020/05/20 13:00:09 (permalink)
    0
    No, why ? and what is your concern? The firewall still has rules ( policu, auth,etc....) so regardless if it the same address used for various vpn, the security risk is mute...it's the same firewall.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5