Skip to main content
ckumar_FTNT
Staff
ckumar_FTNT
Staff
October 14, 2020

Technical Tip: IPsec VPN between static and dynamic IP (FQDN)

  • October 14, 2020
  • 0 replies
  • 81947 views

Description

This article describes how to create a site-to-site VPN between FortiGates where the remote site has a dynamic IP address and local FortiGate has a static IP address.

 

Scope

FortiGate.

Solution


On the local FortiGate, the dynamic IP address of the remote site is used as the remote-gateway (in this case, a remote firewall FQDN address).

  
To configure on the local FortiGate, refer to below CLI configuration snippets (only the relevant parts are provided).
NoteThe remote gateway can only be modified to DDNS via CLI once IPsec Phase1 is created. 
 
config vpn ipsec phase1-interface
edit "frtest"
        set type ddns                                                          
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remotegw-ddns "testbran.fortiddns.com"            
    next
 
Configuration of phase2:
 
conf vpn ipsec phase2-interface
edit "frtest"
        set phase1name "frtest"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "frtest_local"
        set dst-name "frtest_remote"
    next
end
 

Note.
The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) is configured as the gateway configuration.

For the IPSEC configuration on remote FortiGate in GUI.

Go to VPN -> IPsec Wizard .

  • Set the Name <ere>                                  
  • Select the Template type Site-to-Site
  • Set the Remote IP address <static IP address>
  • Select the local interface and subnets.

After the above setup, similar settings as shown below are visible (the Remote Gateway is Static IP address which is 10.5.22.98 in this example).

 
 
Verification.
 
diagnose vpn ike gateway list
 
vd: root/0
name: frtest
version: 1
interface: wan1 7
addr: 10.5.22.98:4500 -> 10.5.21.219:64916 <----- Resolved FQDN IP is listed.
created: 3199s ago
nat: peer
IKE SA: created 1/2  established 1/1  time 20/20/20 ms
IPsec SA: created 1/2  established 1/1  time 20/20/20 ms
  id/spi: 23274 fdc5a41724a8e065/ed8c3e19adb75840
  direction: responder
  status: established 3194-3194s ago = 20ms
  proposal: aes128-sha256
  key: 3c359876a94b04d2-b70eade19fc29822
  lifetime/rekey: 86400/82935
  DPD sent/recv: 00000000/00000000
 
If an FQDN is not yet available but a FortiGuard license is present, an FQDN can be created using the remote FortiGate's external IP address. This enables VPN configuration with the FQDN generated through FortiGuard DDNS.

 

Note:

When a FortiGate that connects to remote gateway using DDNS loses connectivity to the DNS servers, the VPN tunnel will fail to connect. 

 

Related article:

Technical Tip: How to configure Dynamic DNS FortiGate

    Terms & ConditionsAccessibility statement