IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?)

Author Post Essentials Only Full Version
posemman New Member Total Posts : 9 Scores: 0 Reward points: 0 Joined: 2021/01/14 20:05:16 Status: offline 2021/02/17 17:55:36 (permalink) 0 IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) Hi, I am working on setting up IP sec VPN site to site on each fortigate. May question is, Do I need to use public ip address(i use ip chicken to see my public ip) as a remote IP? Or it should be private IP address of fortigate that is connected to WAN1(192.168.254.70)? Default Gateway of fortigate is: 192.168.254.254 #1 3 Replies Related Threads
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) 2021/02/23 00:21:59 (permalink) 0 If you try to connect from the internet you canot se the internal address of WAN1 as it is not available to public and 192.168.0.0 will not be routed anyways. So you have to use the public ip as remote gw. Seeing your WAN1 IP I assuem there is some router behind WAN1 that does the internet and the FGT is not doing PPPOE itself there. In this case you also need to portforward on the router to make IPSec connections reach the FGT. So you have to forward: 500/udp to 192.168.254.70 (IPSec) 4500/udp to 192.168.254.70 (NAT-T) if the opposite site has similar constellation you have to do same way there. the S2S itself doesn't need to have an IP. It is usually ust used as transport layer and the rest is done by routing and policies (or if needed vxlan). #2
posemman New Member Total Posts : 9 Scores: 0 Reward points: 0 Joined: 2021/01/14 20:05:16 Status: offline Re: IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) 2021/02/24 00:35:49 (permalink) 0 Hi thank you for your time. I will try your suggestion and gave you an update. I will set port forwarding of IPSEC and NAT-T port using private IP to PPOE DSL. Then question, how can I know if this IP(192.168.254.70) do port forwarding already? Another question, how can I easily know my public remote gateway ip address? #3
sw2090 Expert Member Total Posts : 896 Scores: 68 Reward points: 0 Joined: 2017/06/14 01:27:25 Location: Regensburg Status: offline Re: IPSec-Site-To-Site (remote ip should be Public ip add or private ip add?) 2021/02/24 00:52:11 (permalink) 0 you got me wrong. You need to forward the opposite direction. Forward the ports from PPPOE DSL external IP to internal IP of your Fortigate that is connected to the router. To check you might do a portscan with e.g. nmap or any portscanner on your external ip of your router. #4

Jump to:

© 2021 APG vNext Commercial Version 5.5