Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

RemoteAccess: Static IP for SSL-VPN

PPTP and IPsec vpn both support static virtual ip addressess assigned. Customers want to have this feature also for SSL-VPN. This way, internal users can access resources that are connected by SSL-VPN, like the printer attached to the laptop connected via Remote ACcess

223 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Gert HansenGert Hansen shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Timm SchneiderTimm Schneider shared a merged idea: Static IP for SSL VPN Users  ·   · 

    11 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Disable the the automatic firewall rule on the SSL-VPN option. and than manually configure the firewall for user on host/network basis

      • Bardel PatrickBardel Patrick commented  ·   ·  Flag as inappropriate

        This is very important to us!

        The DNAT/SNAT Workaround is very time consuming with about 200Clients...

      • AndreasAndreas commented  ·   ·  Flag as inappropriate

        NAT is as always not a solution but a ugly workaround (depends highly on the used protocols)

        It should't be a huge effort to implement this "correctly" since openvpn provides the client-config-dir option.

        Already "implemented" this on ASG320 cluster on console by editing client-config-dir in /var/sec/chroot-openvpn/etc/openvpn/openvpn.conf-default and create a ccd-file for each user which needs a static tunnel ip address or any other special openvpn options. Also implemented that this files are synchronized within the cluster.

        Works like a charm but of course it's not update-proven.

      • Timm SchneiderTimm Schneider commented  ·   ·  Flag as inappropriate

        Hi,

        NAT in my eyes is deprecated to look forward to ipv6. I don´t use NAT because i got an official /24 Network. I work with VoIP-Systems and there is NAT not helpful. What i ment was that the DNS entries are valid that means the A and PTR Records let´s say vpn1.tms-it.net or something else. At this moment you can see who was on the Website and so on, otherwise everybody can be. I think that you can get straight to all Network things a fix IP-Address is important.

        Bye
        Timm

      • folz Supportfolz Support commented  ·   ·  Flag as inappropriate

        A static IP for SSL users is a good idea, but you can use the "User network" element to create packet filters for each VPN user, no matter if it's SSL, IPsec or anything else. If you want static IP for SSL users, you can create NAT rules that translate the respective "User network" element to an static IP. That's only a workaround, but better than nothing.

      • Elmar HaagElmar Haag commented  ·   ·  Flag as inappropriate

        You can already achieve to supply a SSL VPN user with a "pseud-fixed" IP by using some SNAT and/or FULL NAT rules which map the dynamic IP of the SSL VPn user to a fixed statix IP. It is working fine, but of course a bit of administrative work if you have MANY SSL VPN users

      • Sigurd UrdahlSigurd Urdahl commented  ·   ·  Flag as inappropriate

        Giving SSL-VPN users a static IP like we can with L2T would be _really-really-really_ nice. Unfortunately at some customers there are access restrictions based on IP on "internal equipment", being able to seperate between my VPN users is sometimes crucial and forces the use of L2TP.

      • Benjamin SchwitzerBenjamin Schwitzer commented  ·   ·  Flag as inappropriate

        Here is the problem that the two nodes writes it’s own /var/sec/chroot-openvpn/var/run/ipp.txt. In a failover case the client becomes a different ip-address. It’s a good idea to synchronize this file over the HA heartbeat (first step).

      Feedback and Knowledge Base