Configuration Example, Fortinet

FortiGate – IPSec with dynamic IP

René Jorissen on April 13, 2016 5 Comments • Tags: #address #ddns #dynamic #fortigate #fortinet #ip #ipsec #vpn

Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.

I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.

To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “”
set monitor-interface “wan1”

This can also be done in the GUI.


The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.

config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “”
set psksecret P$k-VPN!

And as you can image, this can also be done via the GUI.

FortiDDNS IPSec - HQ

Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. R says:

    Have you had any experience connecting a cisco router with a dynamic ip to a Fortigate with a static ip?

  2. Soon Leong says:

    I am using FortiGate 60D for site-2-site VPN. Firmware version 5.4
    I tried using dynamic DNS on both end. The link status shows up, but I cannot ping the other network.
    However when I configured fixed IP at one end and dynamic DNS on the other, the ping was OK.

    Any idea if dynamic DNS on both end supposed to work? Any suggestions on how I can make it work?

  3. Rene Jorissen says:


    I have never tested it, but in my opinion, it should work. Dynamic DNS is only used to resolve the correct IP address of the peer firewall. All VPN traffic and connection setup is based on IP addresses and not hostname.

  4. Rakesh G Sharma says:

    I Have Fortigate 300E at my HQ with 2 static WAN IP and at my Branch office i have Fortigate 90D.
    AT my Branch office i wish to use USB modem for internet connection and establish an IPsec tunnel over the same.
    could you please provide with any suggestion.

  5. Carl S. says:


    I would like to propose the link exchange deal with your website, for mutual benefit in getting more traffic and improve search engine’s ranking, absolutely no money involve.

    We will link to you from our Music and Entertainment authority site –, from its homepage’s sidebar. In return you will agree to do the same to link back to one of our of our Music & Entertainment Site, from your’s homepage too (sidebar, footer, or anywhere on your homepage), with our brand name Guitar Junky.

    If you are interested, kindly reply to this email.

    Thank you,

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.