Hi, According to your description of the problem it seems to me that the problem is with the IP addresses. First of all your wan1 address has a mask 255.255.255.255 (/32). It cannot be an internet point-to-point address, it has to be at least 255.255.255.252 (/30). If you have 6 IP addresses to use probably your address range is x.x.236.16/29 (255.255.255.248) where you can use addresses from x.x.236.17 to .22. One IP from this address block will be providers PE (your gateway) so you have 5 public static IP for use. Do not forget to set a default route to the gateway. There are some possible solutions according to me: 1) You leave your wan1 IP address settings as you have (I assume that the firewall is reachable on this address) and you set the local-gw to 0.0.0.0 under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 IP. 2) You leave your wan1 IP address settings as you have and you set the local-gw to the IP address of your wan1 IP under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 IP. 3) You set a secondary IP address on the wan1 interface and set this address as a local-gw also under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 secondary IP.

Hi AtiT, Thanks for reply. The IP (x.x.236.18/32) in my WAN interface is assigned automatically via PPPOE. It ' s OK if I use such dynamic IPs for IPsec VPN gateway but this IP changes each time I reboot the fortigate unit. The SP gave me a block of IP (x.x.158.9 to x.x.158.14). I used x.x.158.9 for Mail service, and I intend to use x.x.158.14 for VPN gateway. I like your third solution, But I think that with PPPoE setting, I cannot add secondary IP to the WAN interface? Do you have any idea? Thanks

I understand. Do you have your FortiGate registered? I do not know how the IPSec we are using SSLVNP with forticlient but maybe you can try the FortiGuard DDNS. menu: SYSTEM -> NETWORK -> DNS enable Enable FortiGuard DDNS and choose a name like: ABC.fortiddns.com Than set it in the forticlient - insteed of an IP address you will have ABC.fortiddns.com. All the time your ISP change the wan1 IP adress the fortigate will update the DNS with your new IP. Do not forget to set the local-gw to 0.0.0.0 under IPSec config.

Yes AtiT, I decided to use DDNS. It works well. I also want to try SSL VPN also. Thanks for help!

I have a similar problem. I have set it up ipsec vpn .i have not static ip from isp but I see her Ip from site https://whatismyipaddress.com/

 

With this public ip from site i can use it to connect from my work through forticlient so that all the traffic passes through it fortigfate ?

 

 

thnks 

gmand1973 wrote:

I have a similar problem. I have set it up ipsec vpn .i have not static ip from isp but I see her Ip from site https://whatismyipaddress.com/

 

With this public ip from site i can use it to connect from my work through forticlient so that all the traffic passes through it fortigfate ?

The answer from 2014 just above your post is still valid for your problem. If you are having problems setting up DDNS, please open a new thread.