Helpful ReplyHot!Site to Site VPN with one public IP

Author
Satyam
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/07/15 07:15:32
  • Status: offline
2021/09/10 04:39:14 (permalink)
0

Site to Site VPN with one public IP

Hi Guys,
My company has three branch offices in different locations. We have Fortigate 100F at our main office. I wanted to create a site-to-site VPN between my main branch and one other location. My main branch has a Public IP but my other branch doesn't. Someone told me that we can create site to site VPN tunnel with one public IP and one dynamic IP too. I am not too sure, so anyone can please confirm whether this is possible? Thank you a lot in advance.
#1
garyhope
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/13 03:54:57
  • Status: offline
Re: Site to Site VPN with one public IP 2021/09/14 07:42:07 (permalink)
0
Hi,
 
Try following the IPSEC wizard on your fortigates.  On the one with the static public IP choose 'remote site is behind NAT' and for the other sites "this site is behind NAT" and you will need to enter the public address of the main site to connect to.
#2
sw2090
Expert Member
  • Total Posts : 1012
  • Scores: 85
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Site to Site VPN with one public IP 2021/09/21 07:18:45 (permalink) ☄ Helpfulby Donaire 2021/09/22 07:29:07
0
you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.
So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...
Alas we just use fortiddns service here. Maybe this is better woth other ones...
post edited by sw2090 - 2021/09/21 07:19:47

-- 
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
#3
Donaire
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/17 09:12:38
  • Status: offline
Re: Site to Site VPN with one public IP 2021/09/22 07:28:38 (permalink)
0
sw2090
you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.
So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...
Alas we just use fortiddns service here. Maybe this is better woth other ones...




Hi, 
Thats right sw2090, thats the best way to do it. 
I have a similar question, my router is giving me the private ip address, how can proceed ?
Is the a way of me getting the public address on the LAN of the router connected to the WAn of the fortigate ?
#4
sw2090
Expert Member
  • Total Posts : 1012
  • Scores: 85
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Site to Site VPN with one public IP 2021/09/22 07:32:47 (permalink)
0
hm don't know.
However if you use the built in fortiddns service for dyndns you can set it to detect the public ip on the interface it uses for dyndns.

-- 
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
#5
Donaire
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/17 09:12:38
  • Status: offline
Re: Site to Site VPN with one public IP 2021/09/22 07:45:44 (permalink)
0
 
I will try it.
Thanks.
#6
sw2090
Expert Member
  • Total Posts : 1012
  • Scores: 85
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Site to Site VPN with one public IP 2021/09/22 08:00:14 (permalink)
0
fortiddns on our FGT detected the public ip fine with lancom routers as well das dtag speedboxes behind the WAN Interface of the FGT.
If you use fortiddns make sure you disable dns overriding on all wan interfaces to force the FGT to use the system dns (which has to be set to Fortinet DNS for fortiddns to work). If you don't dns overriding can prevent your FGT from updating the fortiddns upon public ip change. I ran into this almost twice....

-- 
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
#7
Jump to:
© 2021 APG vNext Commercial Version 5.5