FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff
Article Id 191815
Description
This article describes how to create a site-to- VPN between FortiGate and a remote end-site, where the remote end-site has a dynamic IP address and on FortiGate has a static IP address.

Solution
One of the local FortiGate the dynamic IP address is used (in this case, a remote firewall FQDN address) as a remote-gateway.





To configure on Local-FGT refer the below CLI (only relevant parts provided).

Phase I and Phase II configuration.

1) Configuration of phase 1, where we are using the type as DDNS.
# config vpn ipsec phase1-interface
edit "frtest"
        set type ddns                                                           <-----
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remotegw-ddns "testbran.fortiddns.com"            >>>>FQDN address
    next
2) Configuration of phase2.
# conf vpn ipsec  phase2-interface
edit "frtest"
        set phase1name "frtest"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "frtest_local"
        set dst-name "frtest_remote"
    next
end
Note.
The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) in the gateway configuration.

Below configuration on remote FortiGate in GUI.

Go to VPN -> IPsec Wizard .

- Set the Name <ere>                                  
- Select the Template type Site-to-Site
- Set the Remote IP address <static IP address>
- Select the local interface and subnets.

After the above setup, the similar as shown below is visible (the Remote Gateway is Static IP address which is 10.5.22.98 in this example).





Verification.
FGT # diagnose vpn  ike  gateway list
 
vd: root/0
name: frtest
version: 1
interface: wan1 7
addr: 10.5.22.98:4500 -> 10.5.21.219:64916                                      <----- Resolved FQDN IP is listed.
created: 3199s ago
nat: peer
IKE SA: created 1/2  established 1/1  time 20/20/20 ms
IPsec SA: created 1/2  established 1/1  time 20/20/20 ms
  id/spi: 23274 fdc5a41724a8e065/ed8c3e19adb75840
  direction: responder
  status: established 3194-3194s ago = 20ms
  proposal: aes128-sha256
  key: 3c359876a94b04d2-b70eade19fc29822
  lifetime/rekey: 86400/82935
  DPD sent/recv: 00000000/00000000

Contributors