FortiGate – IPSec with dynamic IP

Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.

I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.

To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “branche01-booches.fortiddns.com”
set monitor-interface “wan1”
next
end

This can also be done in the GUI.

FortiDDNS

The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.

config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “branche01-booches.fortiddns.com”
set psksecret P$k-VPN!
next
end

And as you can image, this can also be done via the GUI.

FortiDDNS IPSec - HQ

Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is CCNP , Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Professional (ACCP), FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

3 thoughts on “FortiGate – IPSec with dynamic IP

  1. Have you had any experience connecting a cisco router with a dynamic ip to a Fortigate with a static ip?

  2. I am using FortiGate 60D for site-2-site VPN. Firmware version 5.4
    I tried using dynamic DNS on both end. The link status shows up, but I cannot ping the other network.
    However when I configured fixed IP at one end and dynamic DNS on the other, the ping was OK.

    Any idea if dynamic DNS on both end supposed to work? Any suggestions on how I can make it work?

  3. Hello,

    I have never tested it, but in my opinion, it should work. Dynamic DNS is only used to resolve the correct IP address of the peer firewall. All VPN traffic and connection setup is based on IP addresses and not hostname.

Leave a Reply

Your email address will not be published. Required fields are marked *