| Solution |
When configuring IPsec dial-in VPN tunnels, it is critical to define a consistent and predictable remote gateway identifier to ensure reliable tunnel establishment and correct policy mapping. Using a dynamic IP address without DDNS or FQDN may result in negotiation failures, security policy mismatches, or unstable connectivity.
Key considerations:
- Consistent Peer Matching: Ensures that Phase 1 correctly matches the VPN configuration, especially when multiple tunnels are defined.
- Improved Security: Reduces the risk of accepting tunnels from unknown or unintended peers by matching peer identifiers.
- Reliable Connectivity: Prevents tunnel outages due to IP address changes on the peer side (e.g., dynamic ISP-assigned IPs).
- Accurate Monitoring: Enables accurate logging, monitoring, and diagnostics based on consistent endpoint identification.
Configuration Best Practices:
- Set remote-gw to a static IP address, FQDN, or DDNS hostname.
- If DDNS is used, ensure DNS resolution is available and the hostname is updated in real time.
- Use peerid to define an expected peer identifier when operating in aggressive mode. To configure peerid and localID on FortiGate, refer to this technical article: Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN
Example CLI Configuration:
config vpn ipsec phase1-interface
edit "dialin-vpn"
set type dynamic
set interface "wan1"
set peertype any
set mode aggressive
set proposal aes256-sha256
set dhgrp 14
set remote-gw ddns.example.com
set peerid "branch1"
set psksecret ENC <encrypted_pre_shared_key>
next
end
Additional Recommendations:
- When using DDNS, ensure the FortiGate unit is configured to resolve the hostname dynamically using set interface-select-method auto (if applicable).
- For environments with multiple dial-in peers, define unique peerid values to prevent authentication ambiguity or configuration conflicts.
Related documents:
Getting started
Technical Tip: Troubleshooting IPsec dial-up VPN connections
|
