Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IT_ZD
New Contributor II

Creat Dial-up interface on FGT (VPN-Ipsec with remote site_Dynamic_IP)

Hello,

I hope you are well,

I need your help "if possible" to configure a dial-up interface on a sub-interface in order to use it for an IPSec VPN link (First Is it possible ?)

I tried to configure it by creating a standard VPN tunnel behind a NAT, then I edited the configuration by replacing the interface (IP Static) with a dial-up interface, the problem is that I can't save it and I get an error code -9999: -9999.

Here's a capture of the error and the topology target, knowing that I'm on migration from an ASA to a Fortigate (Fresh install).vpn.JPG

Fortigate albaraka.JPG

 

ASA configuration :

asa_dialup.JPG

Regards.

11 REPLIES 11
rosatechnocrat
Contributor II

You can use an FQDN address in remote gateway. That FQDN can resolve to dynamic IP. You can use dynamic DNS service.

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
IT_ZD

Thanks for your return and information.

 

I'm going to save it as solution B because I want to respect the same configuration I have on the Old_ASA.

pminarik
Staff
Staff

> "if possible" to configure a dial-up interface on a sub-interface

 

Yes, this is possible. You can create an IPsec tunnel on top of a LAG, a VLAN, etc.

 

>  the problem is that I can't save it and I get an error code -9999: -9999.

 

If you're changing the tunnel type from static site-to-site to dynamic dialup/hub-and-spoke and are getting an error, you're most likely missing some necessary config options. I would suggest to do this via the CLI, which will hopefully give you a more meaningful error.

[ corrections always welcome ]
IT_ZD
New Contributor II

Thanks for your return and information.

In CLI, should I apply the configuration to the physical interface or the Vlan interface?

Regards.

 

 

pminarik

My understanding was that you're trying to change settings of the IPsec tunnel. If that is correct, then you should make the change in the IPsec tunnel's configuration.

[ corrections always welcome ]
IT_ZD
New Contributor II

okay so on CLI I have to edit the tunnel_VPN interface created

 

interface_VPN.JPG

pminarik

As I don't know precisely what you want to change, it is a bit hard to give good guidelines, but as I noted: If the goal is to change some settings of the VPN tunnel, then yes, edit the tunnel config.

config vpn ipsec phase1-interface

edit <tunnel name>

[apply changes desired here]

end

[ corrections always welcome ]
IT_ZD
New Contributor II

as I mentioned above in the topology I have a vpn site to site with a remote site in dynamic IP so I have to configure the primary site interface (VLAN) in dynamic behind Fortiwan(Forwarding/NAT/source ip public)

I'll try to modify it in CLI and get back to you, thanks for your help.

hbac
Staff
Staff

Hi @IT_ZD,

 

You cannot change from dialup to static IP after the creating the tunnel, please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Error-9999-when-changing-remote-gate...

 

You can create a custom tunnel without using the wizard. 

 

Regards, 

Labels
Top Kudoed Authors