Hot!ask - IPSEC without IP Public for internet connection

Author
papapuff
Silver Member
  • Total Posts : 70
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/05/24 20:31:44
  • Status: offline
2017/11/12 17:58:00 (permalink)
0

ask - IPSEC without IP Public for internet connection

Hi there,
 
need help please. We have 2 FG60D and 2 FG30E.
we like to create VPN IP Sec with these condition:
1. MainBranch, use FG 60D, have internet connection with IP Public Dynamic.
2. other branches, use internet connection with IP Private from internet provider.
 
Is there specific guidance to create VPN IPSEC between mainbranch and other branches?
 
thanks in advance.
#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4404
    • Scores: 249
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: ask - IPSEC without IP Public for internet connection 2017/11/12 21:51:17 (permalink)
    0
    Yes that doable. You want  dynamic  VPN. Since the address is private
     
     
    you want at branches
     
       peer-id (optional)
       NAT-T  with keepalive for UDP.4500
        aggressive mode
     
    At the main-ofc,
        it would be a responder only.
        you can run ospf over the interfaces in route-mode
        aggressive mode
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    papapuff
    Silver Member
    • Total Posts : 70
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/24 20:31:44
    • Status: offline
    Re: ask - IPSEC without IP Public for internet connection 2017/12/06 17:05:12 (permalink)
    0
    hi Emnoc,
     
    sorry for late reply.
    trying to understand you, but seems my knowledge not deep enough.
    anyway, may you please give more guidance? perhaps step by step. from there I can more understand.
    thank you.
    #3
    Mitch_111
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/11/05 00:42:51
    • Status: offline
    Re: ask - IPSEC without IP Public for internet connection 2017/12/07 07:49:28 (permalink)
    0
    Hi,
     
    use the DDNS Feature from Fortinet in the branch.
     
     
    config system ddns
    edit 1
    set ddns-server FortiGuardDDNS
    set ddns-domain "branch1.fortiddns.com" 
    set monitor-interface "wan1"
    next
    end
     
    In the Mainoffice use that Name as VPN Endpoint and set the Type to "Dynamic DNS".
     
    Cheers
     
     
    Michael
    #4
    papapuff
    Silver Member
    • Total Posts : 70
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/24 20:31:44
    • Status: offline
    Re: ask - IPSEC without IP Public for internet connection 2017/12/08 00:30:30 (permalink)
    0
    Hi Michael,
     
    thanks for your reply.
    as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?
    out of question, commercial DDNS like DynDNS also can be applied to this method?
    #5
    AlexFeren
    Gold Member
    • Total Posts : 122
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/10/05 17:04:08
    • Status: offline
    Re: ask - IPSEC without IP Public for internet connection 2017/12/12 00:26:40 (permalink)
    0
    papapuff
    as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?



    Read "Dynamic DNS over VPN concepts" section in FortiOS Handbook.
    #6
    ede_pfau
    Expert Member
    • Total Posts : 5271
    • Scores: 334
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: ask - IPSEC without IP Public for internet connection 2017/12/12 09:17:09 (permalink)
    0
    Before you get lost...no, dynDNS with a private IP address won't work. How do you route to a private IP address??
     
    So (as emnoc already posted) your branches have to dial-in to the MainBranch (very unlucky name, better use "HQ" or so). The MainBranch/HQ with it's dynamic IP address needs to subscribe to a DynDNS service, the other branches do not need any. Fortinet offers this service for free (as long as you have a valid FortiCare contract) but you could use dyndns.org as well.
    And use peer IDs on your branches so that the MainBranch/HQ can determine which one is calling in.
     
    The FortiOS Handbook, ch. "VPN", is an excellent source of information (docs.fortinet.com).

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    Jump to:
    © 2017 APG vNext Commercial Version 5.5