Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lrob
New Contributor

DialupVPN with IPSEC Site-To-Site Tunnel

Hello All, 

 

I have a 2x FG100D running 5.4.3 and configured with a site-to-site IPSEC VPN tunnel via the wizard that works without issue.  My problem is I also want to add DialupVPN access for remote users. I understand I need to use PEER ID and have made several attempts using the wizard and custom tunnel setups to make this work.  Unfortunately I have not been successful. 

 

If I setup a dialupVPN using the wizard I have to go to the CLI to change the Peertype and peerid since changing the wizard-based tunnel to custom wont let me save because it is looking for a IPV6 DNS server.  However, I have no issues setting the peertype to one and ID to 1001 in the CLI. 

 

I then try to change the point-to-point tunnel via the CLI and the peertype is set to ANY - which I cannot change.  So, all of my VPN client attempts fail with a mismatched preshare key (to name a few). 

 

First question - can I even do this - have a point-to-point IPSEC full time tunnel with a handful of remote access users accessing the LAN? 

 

If so, is there some general guidance on how to do this? I would post configs but I have deleted them each time I fail hoping starting fresh will shed new light.  However, this is not working.

 

Thanks in advance for any input/assistance you can offer. 

 

Larry

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Generally those are two different things and work independently if you're setting them up at a single FG. But if you're load-balancing between two 100Ds, dialup VPN would cause an issue due to randomness on the other ends when it comes in one FG and goes out another, which takes asymmetric routes. I don't know how to deal with this situation unless one of them is the primary and the other is the backup for a particular dialupVPN arrangement.    

MikePruett

Are the two Gates that are connected via IPSec using static IPs? Or is one of them configured as a dialup VPN as well?

Mike Pruett Fortinet GURU | Fortinet Training Videos
lrob

The two FG100Ds are at separate locations and have static IPs assigned.  

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors