Hot!IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?)

Author
posemman
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/01/14 20:05:16
  • Status: offline
2021/02/17 17:55:36 (permalink)
0

IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?)

Hi, I am working on setting up IP sec VPN site to site on each fortigate.
May question is, Do I need to use public ip address(i use ip chicken to see my public ip) as a remote IP? 
 
Or it should be private IP address of fortigate that is connected to WAN1(192.168.254.70)?
 
Default Gateway of fortigate is: 192.168.254.254
#1

3 Replies Related Threads

    sw2090
    Expert Member
    • Total Posts : 896
    • Scores: 68
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) 2021/02/23 00:21:59 (permalink)
    0
    If you try to connect from the internet you canot se the internal address of WAN1 as it is not available to public and 192.168.0.0 will not be routed anyways.
    So you have to use the public ip as remote gw.
    Seeing your WAN1 IP I assuem there is some router behind WAN1 that does the internet and the FGT is not doing PPPOE itself there.  In this case you also need to portforward on the router to make IPSec connections reach the FGT.
    So you have to forward:
     
    500/udp to 192.168.254.70 (IPSec)
    4500/udp to 192.168.254.70 (NAT-T)
     
    if the opposite site has similar constellation you have to do same way there.
    the S2S itself doesn't need to have an IP. It is usually ust used as transport layer and the rest is done by routing and policies (or if needed vxlan).
     
    #2
    posemman
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/14 20:05:16
    • Status: offline
    Re: IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) 2021/02/24 00:35:49 (permalink)
    0
    Hi thank you for your time.
     
    I will try your suggestion and gave you an update. 
     
    I will set port forwarding of IPSEC and NAT-T port using private IP to PPOE DSL.
    Then question, how can I know if this IP(192.168.254.70) do port forwarding already?
     
    Another question, how can I easily know my public remote gateway ip address?
    #3
    sw2090
    Expert Member
    • Total Posts : 896
    • Scores: 68
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) 2021/02/24 00:52:11 (permalink)
    0
    you got me wrong. You need to forward the opposite direction.
    Forward the ports from PPPOE DSL external IP to internal IP of your Fortigate that is connected to the router.
     
    To check you might do a portscan with e.g. nmap or any portscanner on your external ip of your router.
     
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5