- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Please help: 1) use DHCP of ISP; 2) give public IP...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please help: 1) use DHCP of ISP; 2) give public IP + hostname in DNS; 3) VPN tunnel setup
Hello all,
Apologies if these are dumb questions. I am reasonably computer savvy but a complete novice at networking. I am about to be overseas for an extended period, and need my U.S. home network to be accessible as a remote home office during that time.
My home in the U.S. is in a rural area and the ISP uses DHCP for the handoff (it's a radio tower based internet service provider, and a static IP is not normally available or will be unreasonably expensive to maintain).
I want to simply set up an SSL VPN tunnel to my home network using the Fortigate 30E that I just bought.
My understanding is that I should follow these steps:
1) I need to connect the Fortigate to the ISP's DHCP server (since I don't have a static IP address). But I don't know how to obtain the address of the ISP's DHCP server that that needs to be inputted into the Fortigate during the setup process.
2) I want to configure the Fortigate so that it can use Let's Encrypt as a Certificate Authority (https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support). But I don't know how to meet this condition: "The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address." (And it's not clear to me if this condition can be fulfilled when the Fortigate is set up using DHCP.)
3) I want to configure the Fortigate as an SSL VPN tunnel using the Let's Encrypt SSL certificate created in the previous step (https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/690301/configuring-the-ssl-vpn-tunnel).
4) I want my laptop to be configured in such a way that all internet traffic (through web browser sessions and also applications) is being routed through the Fortigate's VPN tunnel (e.g. so if I am in China, and access my gmail account, I'm not blocked from being able to log in by the Great Chinese Firewall and also from Google's perspective it looks like I'm logging into my gmail account from my home office in the U.S.). I understand that I'll need to have the free VPN client running on my laptop (https://docs.fortinet.com/document/forticlient/6.2.0/new-features/673187/free-vpn-client) to maintain the VPN tunnel.
It seems like this VPN should be very simple, straightforward thing to set up with the Fortigate. But since I'm a total novice, it's still hard for me to figure it out and I haven't been able to get enough clarity by digging through the Fortinet KB articles. Any help would be very much appreciated.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi wm999,
Welcome to the forum- and certainly they aren’t dumb questions :)
I don’t see too many issues with what you are trying to achieve- however others maybe able to comment in more detail on the specifics.
A couple of comments:-
1). The Fortigates support dynamic DNS. The admin guide covers this here:- http://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/685361/ddns
That should allow you to always reach the DHCP assigned ISP IP address when you need to. You should be able to use that for both SSL or IP-SEC VPN terminations.
2) and 3). I have some bad news for you I’m afraid…….
The 30E isn’t the best product. It has limited memory and my understanding is that it will not never support the 7.X software releases. It (and the 50E which suffers from the same limitations) are therefore not the best products to invest in. It also means you will therefore not be able use the Let’s Encrypt features.
I would go further- if you have only just purchased the 30E return it and get the 40F- which is a far better product and is similarly priced.
4). That doesn’t sound like any real issue- you should be able to do it subject to configuration.
The fortinet documentation site (docs.fortinet.com) is very good- there is lots of information there which will help you.
I hope that helps you a bit.
Kind Regards,
Andy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andy,
EDIT: I was able to order a 40F with fast shipping, I've followed your suggestion. It will be here in a couple of days and I will have a few days after that to configure it before departing the States. When the 40F has arrived, what process would I follow for Step 2?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) in FGT factory default the WAN Ports are set to to DHCP. So if there is anyone providing a DHCP Server there it will obtain an ip address etc. If you need to to die dial in for internet with the FGT set it to PPPoE. PPPoE by default will also obtain an ip and gw and dns from your ISP.
2) basically you could import the let's encrypt ca to your FGt and generate a CSR to singn it with let's encrypt and then import the certificate and use it anywhere. Just like any ohter cert.
The problem is that let's encrypt uses some script to automagically renew your certs regularly and you cannot run that on a FGT. So you would have to repeat the above process (execpt from the ca) everytime your cert reaches its TTL.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again wm999,
I think that is a wise move with the Fortigate 40F- it is a much better product.
In terms of the Let's Encrypt cert the ACME client is built into to the 7.0 release (as you saw from the release notes you quote). I know that perhaps contradicts what sw2090 says above but (and I stand to be corrected) I suspect he is referring to all version proir to 7.0.
The Let's Encrypt setup (the "automated" option under the local certificate generation) is pretty simple in 7.0 and I have used it myself. The link you shared describes it pretty well. The process is easy and once correctly setup the certificate renews automatically as required.
The only issue for you is that you don't have a static IP. Let's Encrypt needs a DNS entry pointing towards the IP address for the ACME client to generate and renew the certificate.
The Fortigates do have dynamic DNS functionality via the FortiGuard powered service. The details are here:-
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/685361/ddns
So, the only thing I'm not sure about is if you can then use the DDNS service with the Let's Encrypt certificate.
I think it should work- Let's Encrypt is simply looking for DNS resolution from name to IP but I haven't personally tested it to confirm.
I would setup the Fortinet DDNS service first (which requires the use of the FortiGuard DNS servers) and then try creating a Let's Encrypt local certificate on the Fortigate using the DDNS domain.
If you don't mind let us know how you get on- it's an interesting idea should be a good solution for what you need.
Good luck and best regards,
Andy.
Related Posts
- Site to Site VPN to 2... 66 Views
- FortiEMS/FortiClient - VPN Tunnel with Multiple... 230 Views
- SSL VPN for MAC M1 MAX 471 Views
- Trouble Receiving DHCP Packet Over S2S... 271 Views
- Fortigate with Mikrotik Site to site... 412 Views
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.