Source IP address anchoring for IPsec VPN
FortiOS requires endpoints' public IP addresses to achieve source IP address anchoring for IPsec VPN. FortiClient includes an enhancement to ensure that FortiClient provides a correct and reliable public IP address. You can then use the IP address in an on-Fabric detection rule in EMS.
This example configures an on-Fabric detection rule using the public IP address 208.91.115.30. The rule causes FortiClient to become on-Fabric or off-Fabric depending on if its public IP address is 208.91.115.30.
To configure an on-Fabric detection rule using a public IP address:
- Add an on-Fabric rule:
- In EMS, go to Endpoint Policy & Components > On-fabric Detection Rules.
- Click Add.
- Click Add Rule.
- From the Detection Type dropdown list, select Public IP.
- In the IP Address field, enter the desired IP address.
- Click Add Rule.
- Click Save.
- Go to Endpoint Profiles > Remote Access.
- Create two Remote Access profiles, one for off-Fabric endpoints and one for on-Fabric endpoints. The profile for on-Fabric endpoints is disabled, while the profile for off-Fabric endpoints is enabled.
- Go to Endpoint Policy & Components > Manage Policies.
- Click Add.
- Enable Profile (Off-Fabric).
- Configure the on- and off-Fabric VPN profiles as you configured.
- Configure other fields as desired, then click Save. Once FortiClient receives the configuration, since it is on-Fabric, the Remote Access tab is not visible in FortiClient. If the FortiClient IP address does not match the one defined in the on-Fabric detection rule, the endpoint is considered off-Fabric and the Remote Access tab appears in FortiClient.