Fortinet black logo

Administration Guide

SSL VPN IP address assignments

SSL VPN IP address assignments

When a user disconnects from a VPN tunnel, it is not always desirable for the released IP address to be used immediately. In SSL VPN, IP addresses can be assigned from the pool in a round robin fashion, instead of the default first-available address method.

Example

In this example, two PCs connect to the VPN. SSL VPN is configured to use round robin IP address assignment. Dual stack address assignment (both IPv4 and IPv6) is used.

After a tunnel is disconnected, freeing a low IP address, the next client that connects gets the next address in the round robin instead of the lowest address.

To configure SSL VPN with round robin and dual stack:
  1. Create IPv4 and IPv6 address ranges:

    config firewall address
        edit "sslvpn_ipv4_pool"
            set type iprange
            set start-ip 173.10.1.1
            set end-ip 173.10.1.3
        next
    end
    config firewall address6
        edit "sslvpn_ipv6_pool"
            set type iprange
            set start-ip 2000::ad0a:101
            set end-ip 2000::ad0a:103
        next
    end
  2. Set the address ranges as IP pools in the SSL VPN settings:

    config vpn ssl settings
        set tunnel-ip-pools "sslvpn_ipv4_pool"
        set tunnel-ipv6-pools "sslvpn_ipv6_pool"
    end

    When round-robin is used, any address pools defined in the web portal are ignored and the tunnel IPv4 and IPv6 pool addresses in the SSL VPN settings are used. Only one set of IP pool addresses can be applied.

  3. Enable round-robin and dual stack in the SSL VPN settings:

    config vpn ssl settings
        set dual-stack-mode enable
        set tunnel-addr-assigned-method round-robin
    end

    By default, the IP pool assignment follows the first available rule.

  4. Create two users and assign them to an SSL VPN policy:

    config user local
        edit "u1"
            set type password
            set passwd **********
        next
        edit "u2"
            set type password
            set passwd **********
        next
    end
    config firewall policy
        edit 1
            set name "sslvpnd"
            set srcintf "ssl.vdom1"
            set dstintf "link_11" "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set users "u1" "u2"
        next
    end
To test the results:
  1. Log in to the SSL VPN on PC1 using user u1 and then check its assigned IP address:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.145   0/0     0/0     0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.145     13      49935/35251    173.10.1.1,2000::ad0a:101
  2. Log in to the SSL VPN on PC1 using user u2 and then check its assigned IP address:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.145   0/0     0/0     0
     1       u2             1(1)             N/A     10.1.100.254   0/0     0/0     0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.145     44      90126/70405    173.10.1.1,2000::ad0a:101
     1       u2             10.1.100.254     10      10563/8158     173.10.1.2,2000::ad0a:102
  3. Log user u1 off of PC1, then log them back in and check that the assigned IP address is not the same as was previously assigned:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.145   0/0     0/0     0
     1       u2             1(1)             N/A     10.1.100.254   0/0     0/0     0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.145     10      50992/41159    173.10.1.3,2000::ad0a:103
     1       u2             10.1.100.254     43      30374/21860    173.10.1.2,2000::ad0a:102

SSL VPN IP address assignments

When a user disconnects from a VPN tunnel, it is not always desirable for the released IP address to be used immediately. In SSL VPN, IP addresses can be assigned from the pool in a round robin fashion, instead of the default first-available address method.

Example

In this example, two PCs connect to the VPN. SSL VPN is configured to use round robin IP address assignment. Dual stack address assignment (both IPv4 and IPv6) is used.

After a tunnel is disconnected, freeing a low IP address, the next client that connects gets the next address in the round robin instead of the lowest address.

To configure SSL VPN with round robin and dual stack:
  1. Create IPv4 and IPv6 address ranges:

    config firewall address
        edit "sslvpn_ipv4_pool"
            set type iprange
            set start-ip 173.10.1.1
            set end-ip 173.10.1.3
        next
    end
    config firewall address6
        edit "sslvpn_ipv6_pool"
            set type iprange
            set start-ip 2000::ad0a:101
            set end-ip 2000::ad0a:103
        next
    end
  2. Set the address ranges as IP pools in the SSL VPN settings:

    config vpn ssl settings
        set tunnel-ip-pools "sslvpn_ipv4_pool"
        set tunnel-ipv6-pools "sslvpn_ipv6_pool"
    end

    When round-robin is used, any address pools defined in the web portal are ignored and the tunnel IPv4 and IPv6 pool addresses in the SSL VPN settings are used. Only one set of IP pool addresses can be applied.

  3. Enable round-robin and dual stack in the SSL VPN settings:

    config vpn ssl settings
        set dual-stack-mode enable
        set tunnel-addr-assigned-method round-robin
    end

    By default, the IP pool assignment follows the first available rule.

  4. Create two users and assign them to an SSL VPN policy:

    config user local
        edit "u1"
            set type password
            set passwd **********
        next
        edit "u2"
            set type password
            set passwd **********
        next
    end
    config firewall policy
        edit 1
            set name "sslvpnd"
            set srcintf "ssl.vdom1"
            set dstintf "link_11" "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set users "u1" "u2"
        next
    end
To test the results:
  1. Log in to the SSL VPN on PC1 using user u1 and then check its assigned IP address:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.145   0/0     0/0     0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.145     13      49935/35251    173.10.1.1,2000::ad0a:101
  2. Log in to the SSL VPN on PC1 using user u2 and then check its assigned IP address:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.145   0/0     0/0     0
     1       u2             1(1)             N/A     10.1.100.254   0/0     0/0     0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.145     44      90126/70405    173.10.1.1,2000::ad0a:101
     1       u2             10.1.100.254     10      10563/8158     173.10.1.2,2000::ad0a:102
  3. Log user u1 off of PC1, then log them back in and check that the assigned IP address is not the same as was previously assigned:

    # get vpn ssl monitor
    SSL-VPN Login Users:
     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
     0       u1             1(1)             N/A     10.1.100.145   0/0     0/0     0
     1       u2             1(1)             N/A     10.1.100.254   0/0     0/0     0
    
    SSL-VPN sessions:
     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
     0       u1             10.1.100.145     10      50992/41159    173.10.1.3,2000::ad0a:103
     1       u2             10.1.100.254     43      30374/21860    173.10.1.2,2000::ad0a:102