Skip to main content
Satyam
Satyam
New Member
September 10, 2021
Solved

Site to Site VPN with one public IP

  • September 10, 2021
  • 2 replies
  • 15274 views

Hi Guys,

My company has three branch offices in different locations. We have Fortigate 100F at our main office. I wanted to create a site-to-site VPN between my main branch and one other location. My main branch has a Public IP but my other branch doesn't. Someone told me that we can create site to site VPN tunnel with one public IP and one dynamic IP too. I am not too sure, so anyone can please confirm whether this is possible? Thank you a lot in advance.

Best answer by sw2090

you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.

So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...

Alas we just use fortiddns service here. Maybe this is better woth other ones...

2 replies

garyhope
garyhope
New Member
September 14, 2021

Hi,

 

Try following the IPSEC wizard on your fortigates.  On the one with the static public IP choose 'remote site is behind NAT' and for the other sites "this site is behind NAT" and you will need to enter the public address of the main site to connect to.

sw2090
SuperUser
sw2090Answer
SuperUser
September 21, 2021

you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.

So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...

Alas we just use fortiddns service here. Maybe this is better woth other ones...

D
Donaire
New Member
September 22, 2021

sw2090 wrote:

you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.

So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...

Alas we just use fortiddns service here. Maybe this is better woth other ones...

Hi, 

Thats right sw2090, thats the best way to do it.  I have a similar question, my router is giving me the private ip address, how can proceed ? Is the a way of me getting the public address on the LAN of the router connected to the WAn of the fortigate ?

sw2090
SuperUser
sw2090
SuperUser
September 22, 2021

hm don't know.

However if you use the built in fortiddns service for dyndns you can set it to detect the public ip on the interface it uses for dyndns.

Terms & ConditionsAccessibility statement