Fortigate to Fortigate VPN (Fixed IP <> DDNS) tips?

greminn · ‎04-24-2013

Hi There, We have a 200B at our DC running 4.3 MR3 Patch 12 this has a fixed IP address. I have our old 100A (also running 4.3 MR3 Patch 12) sorting my home fibre connection - we cannot get a fixed IP address for this so. Would someone be able to give me a quick starting point and/or some tips to get a VPN configured between the two? Thanks! Simon

thors_hammer · ‎04-24-2013

Hi Simon, we have some of this connections. We are using a dialup configuration on the box that has a fixed IP and a static configuration on the box with the dynamic IP. The boxes are using certificates for authentication and only trust the opposite certificate for this connection. Regards, Thorsten

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

emnoc · ‎04-25-2013

The same here but with PSK. Just follow the VPN setup guide, the setup is simple for routed vpn.

PCNSE

NSE

StrongSwan

greminn · ‎04-25-2013

OK - thanks for the responses on this. I have this setup and working, but have a quick question... On our DC 200B we have the following: Port16 - Internet Port13 - LAN (Public IP Range) Switch - Management Network (10.10.10.0/24) We have several things plugged into our management network, e.g. switch management, iLo/DRAC etc, we also have a management server on the switch and this is what we use to (would you believe it) - manage our network. I have setup my VPN so that the DDNS Fortigate (100A/home fibre/10.1.1.0) is VPN' d into the Switch on the 200B - This is connected and working.... i have setup the policies (up/down) and routes (send 10.10.10.0 via the VPN) and now i can access anything on the 10.10.10.0 Management Network from home - cool! What i need to be able todo is access the LAN Public IP Range (behind Port13) from home (10.1.1.0) via the VPN. I have a policy on the 200B: Switch(ALL/ANY) -> Port13(ALL/ANY). But when i setup a route on the 100A: " Public IP Range" via the VPN - the traffic goes nowhere. Im sure its just a simple thing im missing... and just wondering if anyone could suggest next steps... Thanks Simon

ede_pfau · ‎04-26-2013

I could imagine that the public hosts don' t know where to send the reply traffic other than to the internet. Check your routing.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

greminn · ‎04-27-2013

I have a static route setup on the 200B as: Destination IP/Mask: 10.1.1.0/255.255.255.0 Device: VPNConnection Is this correct?

rwpatterson · ‎04-28-2013

Have you created a policy from the TUNNEL to the Internet? Internal->Internet does nothing for your home Internet access via the tunnel.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎04-28-2013

Yes, that' s OK and needed but I meant a route on the public hosts. Imagine they receive a packet from 10.1.1.x - how would they know that the reply should NOT be sent out to the internet but to back to the FGT? And besides, that policy Bob mentioned is necessary of course.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

JMGIII · ‎05-03-2013

Do you have a Phase II configuration for the subnet you' re trying to get to as well as a route in the 100A for the destination subnet with the VPN interface as the device? The host should have a route back since that was already added for the when you successfully got to the Management subnet - return traffic should hit the firewall & it knows the route.