Configuration Example, Fortinet
FortiGate – IPSec with dynamic IP
Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.
I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.
To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “branche01-booches.fortiddns.com”
set monitor-interface “wan1”
next
end
This can also be done in the GUI.
The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.
config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “branche01-booches.fortiddns.com”
set psksecret P$k-VPN!
next
end
And as you can image, this can also be done via the GUI.
Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
Have you had any experience connecting a cisco router with a dynamic ip to a Fortigate with a static ip?
I am using FortiGate 60D for site-2-site VPN. Firmware version 5.4
I tried using dynamic DNS on both end. The link status shows up, but I cannot ping the other network.
However when I configured fixed IP at one end and dynamic DNS on the other, the ping was OK.
Any idea if dynamic DNS on both end supposed to work? Any suggestions on how I can make it work?
Hello,
I have never tested it, but in my opinion, it should work. Dynamic DNS is only used to resolve the correct IP address of the peer firewall. All VPN traffic and connection setup is based on IP addresses and not hostname.
I Have Fortigate 300E at my HQ with 2 static WAN IP and at my Branch office i have Fortigate 90D.
AT my Branch office i wish to use USB modem for internet connection and establish an IPsec tunnel over the same.
could you please provide with any suggestion.
Hi,
I would like to propose the link exchange deal with your website booches.nl, for mutual benefit in getting more traffic and improve search engine’s ranking, absolutely no money involve.
We will link to you from our Music and Entertainment authority site – https://www.loudthings.org/, from its homepage’s sidebar. In return you will agree to do the same to link back to one of our of our Music & Entertainment Site, from your booches.nl’s homepage too (sidebar, footer, or anywhere on your homepage), with our brand name Guitar Junky.
If you are interested, kindly reply to this email.
Thank you,
Carl