Description
This article explains how to define a secondary IP address for the interface and use that address as the local VPN gateway address.
The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet.
The benefit of the option stated here above is that the existing setup is not affected by the VPN settings.
Scope
IPsec, VPN, Phase1, FortiOS, Site-to-Site VPN, tunnel, secondary IP, peer.
Solution
To add the IP address:
- Edit the external Interface and set secondary IP by going to System -> Network -> Interface.
-
Modify phase1 settings from CLI and set the local-gw parameter in order to use a secondary IP for the VPN tunnel.config vpn ipsec phase1
edit MyVPNTunnel
set interface wan1
set local-gw 10.200.10.2endIf using a route-based tunnel Modify phase1 settings from CLI and set the local-gw parameter in order to use secondary IP for the VPN tunnel.config vpn ipsec phase1-interface
edit MyVPNTunnel
set interface wan1
set local-gw 10.200.10.2end
-
While configuring VPN settings point the remote peer to the secondary IP instead of the primary.
As of Forti OS 6.4.9 -- ID 728468: 'Local-gw' IP address must be assigned to the interface to work properly, either as a primary or secondary address.
Related document:
