DDNS Provider changes the WAN Interface IP

Network_Engineer · ‎05-06-2022

DDNS Provider changes the WAN Interface IP.

This causes the VPN tunnel to go down.

Is there a way for the VPN tunnel ip to automatically update if the WAN interface ip changes?

Is there a way or command using GUI or CLI to force the vpn tunnel to re establish?

I dont want to wait for the update interval.

sw2090 · ‎05-06-2022

I ran into such issue several times. It mostly seems to hit me on tunnels that have ddns as remote gateway and no p1 autonegotiation enabled on the same side.

I have Client e.g. that are behind a route that is not reachable via wan for reasons I cannot change. So I have to use ddns (no static ip on those routers) and SIte FGT must not do p1 autonegotiation because that would only get stuck and create "dead ends" not allowing the vpn to come up at all.

In these cases I encountered this issue: the ddns does get updated by the router (or the FGT FGT at the opposite end (using the FOrtiGUard DNS Servers) does resolve it correctly even after wan ip on the other end had changed. However the vpn services (in my case ipsec) seem not to update the ddns remtoe gw FQDN if there is no p1 autonegotian.

I consider this a bug in FortiOS and I already have a ticket on this open with TAC which we will proceed next week.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎05-06-2022

per default p1 autonegotiation is on, so as long as the remote gw is valid on both side (and the other parameters do fit) it will automatically come up. In my described scenario that is disabled on one side and only remote side does autonegotiation (that is the side that doesn't have a fqdn as remote gw).

Tunnel goes down if the ddns remote gw is resolved to wrong ip (Or not resolved at all) because the requests will come in but the answers will not reach the remote gw then which will keep resulting in a negotiation timeout.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Network_Engineer · ‎05-09-2022

Please update me on what the tac says.

Is it possible to configure fqdn on wan interface for the vpn instead of static ip?

Is there any command to force the vpn to renegotiate?

I think the fortinet guys arent answering

sw2090 · ‎05-09-2022

well you cannot set up a fqdn on a wan interface.

You can set up a fqdn as remote gw for a phase1 of von. You can do that easily via the gui (or of course on cli).

Usually you wouldn't need the renegotiate the vpn because once the wan ip on one side changes there will be no more response. This will trigger Dead Peer Detection (DPD) on remote side which will bring the tunnel down. Then p1 autonegation (on the side where it is enabled) will bring it up again automatically.

Just that stops working if one side dos not update the fqdn to the correct ip anylonger.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Network_Engineer · ‎05-09-2022

can you show the steps to do this?

I am using ipsec vpn from end host (not another fw) to fw.