Hi.
I have several remote stations connected by IPsec VPN. I use a combination of FG 30e and 40f on those stations. there are several configs and most of them works fine.
But I run into trouble when the FG needs to traverse a router that use port NAT or dual Carrier LTE.
Actually port NAT is not a problem until now, when I have to place two FG's behind the same router. So both FG's use the same external IP on the internet. I have not found a way to config this so the central FW can separate the two VPN tunnels.
Wen using an LTE router everything woks fine until the router change carrier, and by that change its external IP. The tunnel falls down, and we have to wait until it change back to the IP of the original carrier.
I have not been able to create a config that can use both IP's. Am I missing something?
Of course, all these problems would have gone away if I could set up the VPN-tunnel using something other than an external IP that I can't control, like a serial-number, internal IP, or whatever.
Is there any options I'm unaware of?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you use Dynamic DNS instead of the IP for the VPN configuration? Are you using a dial-up VPN from the side connected to LTE?
Created on 06-06-2024 04:31 AM Edited on 06-06-2024 04:41 AM
I need to educate me a bit about how Dynamic DNS works to answer that. To me it seems DDNS solves the problem of the FG WAN interface getting av DHCP address, which is not the case here. THe FG wan interface is a static private IP. The problem arise when the gateway either change the external IP which the VPN tunnel use, or when two of my FG's go throug the same port-nating GW and end up with the same IP for two tunnels.
There are no dialup, the connections are always up.
Yeah sounds like you will need to engage the cellular provider to remove their CG-NAT or enable some sort of passthrough/DMZ on their modem. Not sure where you are located but in the US there are many providers who will provide a public IP directly.
Hi,
Have you enabled IPSec VPN passthrough on the modem? Additionally, is NAT-T enabled in the IPSec tunnel?
Additionally, you mentioned that both firewalls use the same external IP address on the internet. In this case, the Head Office firewall will receive two IPSec requests from the branch location with the same source port, which can cause duplicate requests.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.