Skip to main content
Gurkey73
Gurkey73
New Member
January 17, 2018
Question

SSL VPN with dynamic WAN-IP and static VIP

  • January 17, 2018
  • 2 replies
  • 16470 views

Hi there!

I'm trying to configure SSL VPN. My WAN-Interface is configured to DHCP (1.1.1.1) and I got a fixed virtual IP-Address (2.2.2.2) from my Provider as well. I configured SSL VPN to port 10443. DynDNS (x.fortiddns.com) works fine on the dynamic assigned address. SSL VPN works fine with x.fortiddns.com:10443.

 

But I want to use my fixed address (assigned to a subdomain of my webdomain and with an own certificate) to reach the SSL VPN at 2.2.2.2:10443 or sub.domain.com:10443. I thought about using a VIP for my fixed address but I can't map it to my WAN IP because of DHCP.

 

Has anyone an idea?

 

Thanks in advance!

    2 replies

    rwpatterson
    rwpatterson
    New Member
    January 17, 2018

    Welcome to the forums.

     

    Use the wildcard IP 0.0.0.0 in the VIP definition. That will use any WAN IP address. Make sure you enable port mapping or the entire space will go to that one VIP mapping.

    Gurkey73
    Gurkey73Author
    New Member
    January 18, 2018

    Thanks for your reply!

     

    The idea sounds good, but I can't get it up.

     

    I used the designated IP for "External IP" and the wildcard for "Mapped IP" and set the Port Forwarding "External" an "Map to Port" to the designated port: Error "Input value is invalid."

    Also tried the wildcard for "External IP" and for "Mapped IP", same result :(

     

    BTW: There are already two VIPs configured to IP-Adresses in the DMZ, the work pretty good.

     

    oheigl
    oheigl
    New Member
    January 23, 2018

    Wait you used the wildcard for mapped IP? The wildcard should be used in the external ip field, and it's just a value which translates to: Insert my current WAN IP here.

     

    Can you give us an example of the VIP you are trying to configure, and the IP addresses of the internal server? (mask the ip addresses accordingly so you don't give out sensitive information).

    Deepakkhw
    Deepakkhw
    New Member
    January 30, 2018

    Hi,

    DYDNS will make help you. 

     

    First, configure a DYDNS on FortiGate and it will update automatically when IP will change from ISP site. 

    Second, Create a Subdomain on your DNS (Public) DNS server and give the DYDNS name instant of IP address of subdomain.

    Third, A single certificate must have both DNS name to verify 1. Subdomain and 2. DYDNS name.

     

    Regards,

    Deepak Kumar

     

    Gurkey73
    Gurkey73Author
    New Member
    June 8, 2018

    Sorry for my late answer, the project was postponed by the customer.

     

    I want to use one of my virtual IP-address for SSL-VPN, so the VPN portal has to listen to the virtual IP address.

    So how can I configure the FG WAN-Interface (basicly configured to DHCP) to listen additionally to a virtual IP?

    Actually my CA doesn't support two domain names for one certificate.

    rwpatterson
    rwpatterson
    New Member
    June 8, 2018

    The virtual IP address changes as you have stated. The ways to do this are:

    1) Change the outside IP address on the VIP definition each time the dynamic address changes (waste of bandwidth...), or

    2) Use the wildcard 0.0.0.0 on the outside VIP interface definition

     

    Also, if you are using DynDNS (or something similar), then the cert should be good because it uses a domain name and the outside IP will resolve to the name, just a single port for the SSL VPN connection.

    Terms & ConditionsAccessibility statement