Skip to main content
networkingkool
networkingkool
New Member
July 25, 2014
Question

Assign static, public IP to IPSec VPN with FortiClient

  • July 25, 2014
  • 1 reply
  • 19655 views
Hi, We are configuring IPSec VPN using forticlient to dialup to the Fortigate unit. We use the IP of WAN interface as remote gateway. The IPSec VPN tunnel can establish, and everything work well. However, the IP of WAN interface change each time I reboot the Fortigate unit. So we purchased 6 public IPs, and we used one of them for IPSec VPN remote gateway. The problem is when forticlient try to connect to the new static IP, the VPN cannot establish. I check the forticlient log and see that the peer IP doesn' t respond. Actually I don' t know where I ' m doing wrong, in VPN configuration or in the way I assign the new IP to the wan interface. Please advice me. This is urgent case!

    1 reply

    networkingkool
    networkingkoolAuthor
    New Member
    July 26, 2014
    Please see the attachment for some configuration
    AtiT
    AtiT
    New Member
    July 26, 2014
    Hi, According to your description of the problem it seems to me that the problem is with the IP addresses. First of all your wan1 address has a mask 255.255.255.255 (/32). It cannot be an internet point-to-point address, it has to be at least 255.255.255.252 (/30). If you have 6 IP addresses to use probably your address range is x.x.236.16/29 (255.255.255.248) where you can use addresses from x.x.236.17 to .22. One IP from this address block will be providers PE (your gateway) so you have 5 public static IP for use. Do not forget to set a default route to the gateway. There are some possible solutions according to me: 1) You leave your wan1 IP address settings as you have (I assume that the firewall is reachable on this address) and you set the local-gw to 0.0.0.0 under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 IP. 2) You leave your wan1 IP address settings as you have and you set the local-gw to the IP address of your wan1 IP under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 IP. 3) You set a secondary IP address on the wan1 interface and set this address as a local-gw also under the IPSec configuration. You should be able to create a tunnel pointing to the wan1 secondary IP.
    networkingkool
    networkingkoolAuthor
    New Member
    July 26, 2014
    Hi AtiT, Thanks for reply. The IP (x.x.236.18/32) in my WAN interface is assigned automatically via PPPOE. It ' s OK if I use such dynamic IPs for IPsec VPN gateway but this IP changes each time I reboot the fortigate unit. The SP gave me a block of IP (x.x.158.9 to x.x.158.14). I used x.x.158.9 for Mail service, and I intend to use x.x.158.14 for VPN gateway. I like your third solution, But I think that with PPPoE setting, I cannot add secondary IP to the WAN interface? Do you have any idea? Thanks
    Terms & ConditionsAccessibility statement