Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mumer19
New Contributor

FortiClient IPSEC VPN with FQDN

Hi all, I want to implement a scenario in my office please help me out in the scenario.

I had an old Fortinet firewall FG-80C with firmware version 5.6 installed in it. The connectivity between the devices is in following way:

ONT -> Fortinet -> Unmanaged switch -> LAN users.

PPPoE is configured on ONT , I am unable to access the ONT as the credentials are with the ISP.

WAN2 interface of FG-80C is getting private IP 192.168.70.132/24 from ONT via DHCP. 

I had to configure FG-80C so that the employees remotely can access the File server placed inside the office via forticlient. 

I had also attached the topology that I need to implement.

 

It would be very helpful if anyone could help me making this scenario working.

 

Thanks in advance.Forticlient Ipsec VPNForticlient Ipsec VPN

Network Engineer
Network Engineer
9 REPLIES 9
abarushka
Staff
Staff

Hello,

 

You may consider to configure SSL VPN / IPsec. Please find the details below:

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/559546/ssl-vpn-full-tunnel-for-remote-us...(SSL VPN)

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/460465/ipsec-vpn-with-forticlient(IPsec)

 

Port forwarding should be configured on ONT device.

FortiGate
mumer19

@abarushka thank for the reply.

As I already told that I don't have access to ONT and the ONT is configured in PPPoE mode. Firewall is getting Private IP not Public IP.

Internet connection is terminating on ONT not on my Firewall.

Network Engineer
Network Engineer
akristof

Hello,

Then only option is to use DDNS. So FortiGate will update DNS records and you will use this FQDN as remote server in your FCT Configuration. But ONT needs to be capable forward traffic from public IP to your private IP.

Adrian
mumer19

The main issue behind the scenario is the only one that is ONT is not accessible, this was the main reason because of which I had to put this post, otherwise this question has already been answered by technical guys on these forums.

 

Thank you for the reply @akristof 

Network Engineer
Network Engineer
Debbie_FTNT

Hey mumer19,

there are two ways to go about this:

 

- somehow, your users have to be able to get through ONT to reach the FortiGate (the ONT has to forward the traffic to FGT on a specific port or similar)

-> DDNS would help with that if the ONT receives dynamic IPs from your ISP

-> FortiGate would be set up to receive IPSec or SSLVPN requests, and clients can connect to that and then access the fileserver through FortiGate

 

The other option requires an additional hop:

- set up another gateway under your control

- set up IPSec site-to-site from the FortiGate to the other gateway (FortiGate can initiate this, so no need for ONT to forward traffic to FortiGate explicitly)

- your users connect to the other gateway, and then access the fileserver through the site-to-site VPN and then FortiGate policies

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mumer19

Hey Debbie.

Thank you for the reply.

The firmware of Fg-80C is 5.6 and while configuring Ipsec there is no option for DDNS, so i can't connect it there, and secondly it shows the remote network also..no detail of remote site as it's the vpn client only not the other site.

I also tested for SSLVPN by giving DDNS but can't achieve the required results.

For the second solution I can't implement as I don't have 2nd hop, is there any link which shows how to achieve this with 2nd hop...do share here.

Network Engineer
Network Engineer
akristof

Hello,


On FortiGate, only thing you need to configure is DDNS - to update DNS records correctly. Then configure your Ipsec as normal remote access vpn, for example:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/589121/ipsec-vpn-with-forticlient

 

Only difference is that on FortiClients, instead of IP address in remote-gateway, you will enter the fqdn that FortiGate is updating via ddns.

Adrian
mumer19
New Contributor

Dear Guys.

I configured the DDNS setup by third-party DDNS server (my-noip.com). I followed the URL (https://www.51sec.org/2018/10/20/configure-fortigate-ddns-with-free-ddns-service-noip-net/) to configure the third party DDNS. After configuring DDNS the firewall is accessible within the local network via example.ddns.net but unfortunately it is not accessible from outside the company network. 

The configuration is as below:

 

DDNS ConfigDDNS Config

 

Network Engineer
Network Engineer
akristof

Hello,

In that case verify with simple packet capture if any incoming packet is seen from wan2. If not, then possibly ISP is not forwarding packets from public IP to your device.

Adrian
Labels
Top Kudoed Authors