Skip to main content
bhuo
bhuo
New Member
May 27, 2021
Question

IPSEC tunnel with dynamic IP address without using dynamic DNS

  • May 27, 2021
  • 2 replies
  • 8149 views

Hey Guys,

 

Quick one, does anyone have succeed in creating an IPsec tunnel with dynamic IP address from remote peer.

Please note the remote peer doesn't have dynamic DNS and they are not using Fortigate as well, they are using a standard Cisco router.

 

Thanks,

 

Bill

    2 replies

    emnoc
    emnoc
    New Member
    May 27, 2021

    So the remote-peer cisco is dynamic? Is the fortigate static ip-address? If yes, why not have the cisco router dialup to the fortigate?

     

    Ken Felix

     

    bhuo
    bhuoAuthor
    New Member
    May 27, 2021

    Hey Ken,

     

    Thanks for pointing out, I will give a try and get back with update.

     

    Bill

    sw2090
    SuperUser
    sw2090
    SuperUser
    May 27, 2021

    Does not neccessarily have to be dial up. Should also work as S2S.

    Just disable p1 autonegotioation on your FGT (can only be done on cli) so olny the cisco will set up the tunnel.

    Otherwise that would create "dead" SAs on the FGT when the dynamic ip changes.

    Maybe you have to limit the S2S on the FGT to only accept specific peer id (afair only possible in ike v1 aggressive mode - correct me if I am wrong here) or unique proposal pair(s) in p1 and p2  since on FGT side you cannot nail it to the remote gw in this case but you need to nail it to the right ipsec if you happen to have more then one.

    If there is only one you might skip that last step because this is unique then anyways.

    youmustbecrazy
    youmustbecrazy
    Visitor III
    January 31, 2023

    so is there any update what the method did you use? please share here mate

    Terms & ConditionsAccessibility statement