Hot!Assign static, public IP to IPSec VPN with FortiClient

Author
networkingkool
Bronze Member
  • Total Posts : 40
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/01/04 09:21:52
  • Status: offline
2014/07/25 08:13:16 (permalink)
5 (1)

Assign static, public IP to IPSec VPN with FortiClient

Hi,

We are configuring IPSec VPN using forticlient to dialup to the Fortigate unit. We use the IP of WAN interface as remote gateway. The IPSec VPN tunnel can establish, and everything work well. However, the IP of WAN interface change each time I reboot the Fortigate unit. So we purchased 6 public IPs, and we used one of them for IPSec VPN remote gateway. The problem is when forticlient try to connect to the new static IP, the VPN cannot establish. I check the forticlient log and see that the peer IP doesn' t respond.
Actually I don' t know where I ' m doing wrong, in VPN configuration or in the way I assign the new IP to the wan interface.
Please advice me.
This is urgent case!
#1

7 Replies Related Threads

    networkingkool
    Bronze Member
    • Total Posts : 40
    • Scores: 2
    • Reward points: 0
    • Joined: 2013/01/04 09:21:52
    • Status: offline
    RE: Assign static, public IP to IPSec VPN with FortiClient 2014/07/25 17:39:41 (permalink)
    0
    Please see the attachment for some configuration
    #2
    AtiT
    Platinum Member
    • Total Posts : 479
    • Scores: 42
    • Reward points: 0
    • Joined: 2012/04/18 12:13:27
    • Location: Prague / Czech Republic
    • Status: offline
    RE: Assign static, public IP to IPSec VPN with FortiClient 2014/07/25 22:22:09 (permalink)
    0
    Hi,
    According to your description of the problem it seems to me that the problem is with the IP addresses.
    First of all your wan1 address has a mask 255.255.255.255 (/32). It cannot be an internet point-to-point address, it has to be at least 255.255.255.252 (/30).
    If you have 6 IP addresses to use probably your address range is x.x.236.16/29 (255.255.255.248) where you can use addresses from x.x.236.17 to .22.
    One IP from this address block will be providers PE (your gateway) so you have 5 public static IP for use.
    Do not forget to set a default route to the gateway.

    There are some possible solutions according to me:
    1) You leave your wan1 IP address settings as you have (I assume that the firewall is reachable on this address) and you set the local-gw to 0.0.0.0 under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 IP.
    2) You leave your wan1 IP address settings as you have and you set the local-gw to the IP address of your wan1 IP under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 IP.
    3) You set a secondary IP address on the wan1 interface and set this address as a local-gw also under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 secondary IP.
    < Message edited by AtiT -- 7/25/2014 10:24:10 PM >

    AtiT
    --------------------
    NSE 8, CCNP R+S
    #3
    networkingkool
    Bronze Member
    • Total Posts : 40
    • Scores: 2
    • Reward points: 0
    • Joined: 2013/01/04 09:21:52
    • Status: offline
    RE: Assign static, public IP to IPSec VPN with FortiClient 2014/07/25 23:37:19 (permalink)
    0
    Hi AtiT,

    Thanks for reply.
    The IP (x.x.236.18/32) in my WAN interface is assigned automatically via PPPOE. It ' s OK if I use such dynamic IPs for IPsec VPN gateway but this IP changes each time I reboot the fortigate unit.

    The SP gave me a block of IP (x.x.158.9 to x.x.158.14). I used x.x.158.9 for Mail service, and I intend to use x.x.158.14 for VPN gateway. I like your third solution, But I think that with PPPoE setting, I cannot add secondary IP to the WAN interface?
    Do you have any idea?

    Thanks
    #4
    AtiT
    Platinum Member
    • Total Posts : 479
    • Scores: 42
    • Reward points: 0
    • Joined: 2012/04/18 12:13:27
    • Location: Prague / Czech Republic
    • Status: offline
    RE: Assign static, public IP to IPSec VPN with FortiClient 2014/07/26 01:13:10 (permalink)
    0
    I understand.
    Do you have your FortiGate registered? I do not know how the IPSec we are using SSLVNP with forticlient but maybe you can try the FortiGuard DDNS.
    menu: SYSTEM -> NETWORK -> DNS enable Enable FortiGuard DDNS and choose a name like: ABC.fortiddns.com
    Than set it in the forticlient - insteed of an IP address you will have ABC.fortiddns.com. All the time your ISP change the wan1 IP adress the fortigate will update the DNS with your new IP.
    Do not forget to set the local-gw to 0.0.0.0 under IPSec config.


    AtiT
    --------------------
    NSE 8, CCNP R+S
    #5
    networkingkool
    Bronze Member
    • Total Posts : 40
    • Scores: 2
    • Reward points: 0
    • Joined: 2013/01/04 09:21:52
    • Status: offline
    RE: Assign static, public IP to IPSec VPN with FortiClient 2014/07/26 01:51:44 (permalink)
    0
    Yes AtiT,

    I decided to use DDNS. It works well.
    I also want to try SSL VPN also.
    Thanks for help!
    #6
    gmand1973
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/19 13:14:13
    • Status: offline
    Re: RE: Assign static, public IP to IPSec VPN with FortiClient 2021/08/21 03:43:21 (permalink)
    0
    I have a similar problem. I have set it up ipsec vpn .i have not static ip from isp but I see her Ip from site https://whatismyipaddress.com/
     
    With this public ip from site i can use it to connect from my work through forticlient so that all the traffic passes through it fortigfate ?
     
     
    thnks 
    #7
    Antoine
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/19 01:53:47
    • Location: España
    • Status: offline
    Re: RE: Assign static, public IP to IPSec VPN with FortiClient 2021/08/23 07:02:26 (permalink)
    0
    gmand1973
    I have a similar problem. I have set it up ipsec vpn .i have not static ip from isp but I see her Ip from site https://whatismyipaddress.com/
     
    With this public ip from site i can use it to connect from my work through forticlient so that all the traffic passes through it fortigfate ?

    The answer from 2014 just above your post is still valid for your problem.
    If you are having problems setting up DDNS, please open a new thread.
    #8
    Jump to:
    © 2021 APG vNext Commercial Version 5.5