Description
This article describes how to create a site-to- VPN between FortiGate and a remote end-site, where the remote end-site has a dynamic IP address and on FortiGate has a static IP address.
Scope
FortiGate.
Solution
One of the local FortiGate the dynamic IP address is used (in this case, a remote firewall FQDN address) as a remote-gateway.
To configure on Local-FGT refer the below CLI (only relevant parts provided).
Phase I and Phase II configuration.
Configuration of phase 1, where we are using the type as DDNS.
Phase I and Phase II configuration.
Configuration of phase 1, where we are using the type as DDNS.
config vpn ipsec phase1-interface
edit "frtest"
set type ddns <-----
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set wizard-type static-fortigate
set remotegw-ddns "testbran.fortiddns.com" >>>>FQDN address
next
edit "frtest"
set type ddns <-----
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set wizard-type static-fortigate
set remotegw-ddns "testbran.fortiddns.com" >>>>FQDN address
next
Configuration of phase2:
conf vpn ipsec phase2-interface
edit "frtest"
set phase1name "frtest"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type name
set dst-addr-type name
set src-name "frtest_local"
set dst-name "frtest_remote"
next
end
edit "frtest"
set phase1name "frtest"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type name
set dst-addr-type name
set src-name "frtest_local"
set dst-name "frtest_remote"
next
end
Note.
The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) in the gateway configuration.
Below configuration on remote FortiGate in GUI.
Go to VPN -> IPsec Wizard .
- Set the Name <ere>
- Select the Template type Site-to-Site
- Set the Remote IP address <static IP address>
- Select the local interface and subnets.
After the above setup, the similar as shown below is visible (the Remote Gateway is Static IP address which is 10.5.22.98 in this example).
Verification.
FGT # diagnose vpn ike gateway list
vd: root/0
name: frtest
version: 1
interface: wan1 7
addr: 10.5.22.98:4500 -> 10.5.21.219:64916 <----- Resolved FQDN IP is listed.
created: 3199s ago
nat: peer
IKE SA: created 1/2 established 1/1 time 20/20/20 ms
IPsec SA: created 1/2 established 1/1 time 20/20/20 ms
id/spi: 23274 fdc5a41724a8e065/ed8c3e19adb75840
direction: responder
status: established 3194-3194s ago = 20ms
proposal: aes128-sha256
key: 3c359876a94b04d2-b70eade19fc29822
lifetime/rekey: 86400/82935
DPD sent/recv: 00000000/00000000
vd: root/0
name: frtest
version: 1
interface: wan1 7
addr: 10.5.22.98:4500 -> 10.5.21.219:64916 <----- Resolved FQDN IP is listed.
created: 3199s ago
nat: peer
IKE SA: created 1/2 established 1/1 time 20/20/20 ms
IPsec SA: created 1/2 established 1/1 time 20/20/20 ms
id/spi: 23274 fdc5a41724a8e065/ed8c3e19adb75840
direction: responder
status: established 3194-3194s ago = 20ms
proposal: aes128-sha256
key: 3c359876a94b04d2-b70eade19fc29822
lifetime/rekey: 86400/82935
DPD sent/recv: 00000000/00000000
If an FQDN is not yet available but a FortiGuard license is present, an FQDN can be created using the remote FortiGate's external IP address. This enables VPN configuration with the FQDN generated through FortiGuard DDNS.
Related article:
