Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Satyam
New Contributor

Site to Site VPN with one public IP

Hi Guys,

My company has three branch offices in different locations. We have Fortigate 100F at our main office. I wanted to create a site-to-site VPN between my main branch and one other location. My main branch has a Public IP but my other branch doesn't. Someone told me that we can create site to site VPN tunnel with one public IP and one dynamic IP too. I am not too sure, so anyone can please confirm whether this is possible? Thank you a lot in advance.

1 Solution
sw2090
Honored Contributor

you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.

So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...

Alas we just use fortiddns service here. Maybe this is better woth other ones...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

6 REPLIES 6
garyhope
New Contributor

Hi,

 

Try following the IPSEC wizard on your fortigates.  On the one with the static public IP choose 'remote site is behind NAT' and for the other sites "this site is behind NAT" and you will need to enter the public address of the main site to connect to.

sw2090
Honored Contributor

you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.

So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...

Alas we just use fortiddns service here. Maybe this is better woth other ones...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

Donaire
New Contributor III

sw2090 wrote:

you could use a FQDN as remote gateway since you need some way to detect the current ip of the dynamic site as remote gateway is the first step the find the correct ipsec on a fgt.

So you would have to use some dyndns service on the site that doesn't have a static ip. However dyndns is still somehow dirty dns hacking. It keeps causing problems here becaue of DNS caching and DNS overriding on our FGTs here...

Alas we just use fortiddns service here. Maybe this is better woth other ones...

Hi, 

Thats right sw2090, thats the best way to do it.  I have a similar question, my router is giving me the private ip address, how can proceed ? Is the a way of me getting the public address on the LAN of the router connected to the WAn of the fortigate ?

sw2090
Honored Contributor

hm don't know.

However if you use the built in fortiddns service for dyndns you can set it to detect the public ip on the interface it uses for dyndns.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Donaire
New Contributor III

 

I will try it.

Thanks.

sw2090
Honored Contributor

fortiddns on our FGT detected the public ip fine with lancom routers as well das dtag speedboxes behind the WAN Interface of the FGT.

If you use fortiddns make sure you disable dns overriding on all wan interfaces to force the FGT to use the system dns (which has to be set to Fortinet DNS for fortiddns to work). If you don't dns overriding can prevent your FGT from updating the fortiddns upon public ip change. I ran into this almost twice....

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams