Creat Dial-up interface on FGT (VPN-Ipsec with remote site_Dynamic_IP)

IT_ZD · ‎01-31-2024

Hello,

I hope you are well,

I need your help "if possible" to configure a dial-up interface on a sub-interface in order to use it for an IPSec VPN link (First Is it possible ?)

I tried to configure it by creating a standard VPN tunnel behind a NAT, then I edited the configuration by replacing the interface (IP Static) with a dial-up interface, the problem is that I can't save it and I get an error code -9999: -9999.

Here's a capture of the error and the topology target, knowing that I'm on migration from an ASA to a Fortigate (Fresh install).

ASA configuration :

Regards.

rosatechnocrat · ‎01-31-2024

You can use an FQDN address in remote gateway. That FQDN can resolve to dynamic IP. You can use dynamic DNS service.

Rosa Technocrat -- Also on YouTube---Please do Subscribe

IT_ZD · ‎02-01-2024

Thanks for your return and information.

I'm going to save it as solution B because I want to respect the same configuration I have on the Old_ASA.

pminarik · ‎02-01-2024

> "if possible" to configure a dial-up interface on a sub-interface

Yes, this is possible. You can create an IPsec tunnel on top of a LAG, a VLAN, etc.

> the problem is that I can't save it and I get an error code -9999: -9999.

If you're changing the tunnel type from static site-to-site to dynamic dialup/hub-and-spoke and are getting an error, you're most likely missing some necessary config options. I would suggest to do this via the CLI, which will hopefully give you a more meaningful error.

[ corrections always welcome ]

IT_ZD · ‎02-01-2024

Thanks for your return and information.

In CLI, should I apply the configuration to the physical interface or the Vlan interface?

Regards.

pminarik · ‎02-01-2024

My understanding was that you're trying to change settings of the IPsec tunnel. If that is correct, then you should make the change in the IPsec tunnel's configuration.

[ corrections always welcome ]

IT_ZD · ‎02-01-2024

okay so on CLI I have to edit the tunnel_VPN interface created

pminarik · ‎02-01-2024

As I don't know precisely what you want to change, it is a bit hard to give good guidelines, but as I noted: If the goal is to change some settings of the VPN tunnel, then yes, edit the tunnel config.

config vpn ipsec phase1-interface

edit <tunnel name>

[apply changes desired here]

end

[ corrections always welcome ]

IT_ZD · ‎02-01-2024

as I mentioned above in the topology I have a vpn site to site with a remote site in dynamic IP so I have to configure the primary site interface (VLAN) in dynamic behind Fortiwan(Forwarding/NAT/source ip public)

I'll try to modify it in CLI and get back to you, thanks for your help.

hbac · ‎02-01-2024

Hi @IT_ZD,

You cannot change from dialup to static IP after the creating the tunnel, please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Error-9999-when-changing-remote-gate...

You can create a custom tunnel without using the wizard.

Regards,