I was in our DC Fortigate 80F attempting to create another SSL VPN Web Portal linked to a new realm to find out that there is a maximum on how many I can have (10).
Now if I were to move to IPsec Remote Access tunnels…
- How many tunnels can we run?
- How can we go about keeping “realms?” Would we need to dedicate an IP per remote access tunnel since ipsec doesn’t really do realms?
We do run FOO and several site-to-site tunnels - I’d assume this also gets accounted for in the max of ipsec tunnels allowed.
Hello, you should check the maximum values table using your model and the value you need. The 80F is a small device and does not support a huge number of SSL VPN tunnels.
The way that I do things are different.
I have 3 portals at a minimum.
- IT Admins
- Employees
- Contractors
I can then have extra for whatever I need like testing etc.
The security now all comes down to the policies that I use. Regardless of if it’s SSL or IPsec as the Idp allows me to create firewall groups referencing groups from my identity provider. This works with LDAP, SAML and RADIUS.
Now the question is, why do you need more than 10 portals?
According to the datasheet if using AES256-SHA256, the 80F can is supported up to 200 site to site tunnels and 2500 clients to site tunnels using IPsec and a total of 200 SSL VPN clients.
IPsec users dial-up and you can have all 2500 clients on one public IP.
There is no direct limitation to IPsec tunnels, but the unit has a limit of 256 logical interfaces at most, so you will be able to create at most “256 - ” number of IPsec phase1s (~ site-to-site or dialup configurations). The real limit of actually connected dialup clients is only limited practically by CPU/memory utilization.
“Realms” don’t really exist as a concept in IPsec, but you can match different users to different IPsec tunnels by e.g. letting them specify a different peer-id and matching for that. (needs IKEv1 aggressive mode, or IKEv2)
We separate each of our MSP clients into different portals and some use LDAP or Radius while others use SAML
Honestly IPsec would just be better anyways in terms of performance and CVEs but need to make sure it’ll work for our setup.
I guess what I can do is create a vlan interface with a public ip for each client’s tunnel. Could do a loopback but if I’m not mistaken, loopbacks aren’t offloaded while vlan interfaces are. Essentially just route some blocks of IPs through our FGT wan IP
You don’t need a different public IP for each client. You can match the dial-up tunnel based on the ID that the client sends. That way you can have multiple dial-up configurations with the same public IP, but the actual configuration is completely different.
Loopbacks are offloaded on NP7 models by the way.
Oh sweet I thought peer ids were only available for site to sites. Thanks!
Unfortunately, upgrading to units with the NP7 isn’t an option at the moment with management. Would definitely be nice though.