Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
papapuff
New Contributor II

ask - IPSEC without IP Public for internet connection

Hi there,

 

need help please. We have 2 FG60D and 2 FG30E.

we like to create VPN IP Sec with these condition:

1. MainBranch, use FG 60D, have internet connection with IP Public Dynamic.

2. other branches, use internet connection with IP Private from internet provider.

 

Is there specific guidance to create VPN IPSEC between mainbranch and other branches?

 

thanks in advance.

6 REPLIES 6
emnoc
Esteemed Contributor III

Yes that doable. You want  dynamic  VPN. Since the address is private

 

 

you want at branches

 

   peer-id (optional)

   NAT-T  with keepalive for UDP.4500

    aggressive mode

 

At the main-ofc,

    it would be a responder only.

    you can run ospf over the interfaces in route-mode

    aggressive mode

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
papapuff
New Contributor II

hi Emnoc,

 

sorry for late reply.

trying to understand you, but seems my knowledge not deep enough.

anyway, may you please give more guidance? perhaps step by step. from there I can more understand.

thank you.

Mitch_111
New Contributor

Hi,

 

use the DDNS Feature from Fortinet in the branch.

 

 

config system ddns

edit 1

set ddns-server FortiGuardDDNS

set ddns-domain "branch1.fortiddns.com" 

set monitor-interface "wan1"

next

end

 

In the Mainoffice use that Name as VPN Endpoint and set the Type to "Dynamic DNS".

 

Cheers

 

 

Michael

papapuff
New Contributor II

Hi Michael,

 

thanks for your reply.

as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?

out of question, commercial DDNS like DynDNS also can be applied to this method?

AlexFeren
New Contributor III

papapuff wrote:

as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?

Read "Dynamic DNS over VPN concepts" section in FortiOS Handbook.

ede_pfau
Esteemed Contributor III

Before you get lost...no, dynDNS with a private IP address won't work. How do you route to a private IP address??

 

So (as emnoc already posted) your branches have to dial-in to the MainBranch (very unlucky name, better use "HQ" or so). The MainBranch/HQ with it's dynamic IP address needs to subscribe to a DynDNS service, the other branches do not need any. Fortinet offers this service for free (as long as you have a valid FortiCare contract) but you could use dyndns.org as well.

And use peer IDs on your branches so that the MainBranch/HQ can determine which one is calling in.

 

The FortiOS Handbook, ch. "VPN", is an excellent source of information (docs.fortinet.com).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors