Hello @MarcP1 

Have you checked this DDNS IPsec tunnel issue ?

regards,

Sheikh

This issue happens because FortiGate at headquarters is storing the old public IP address of the remote site instead of updating it when the remote site receives a new public IP. This causes the IPSec tunnel to fail until it is restarted manually.

Step 1 Reduce DNS Cache Expiry Time on FortiGate
FortiGate stores DNS lookups which means it does not update immediately when a remote site's IP address changes.

Log in to FortiGate CLI at headquarters
Run the following command to disable DNS caching
config system global
set dns cache limit 0
end

If caching should be kept but refreshed more frequently, run the following command to set the cache expiry to sixty seconds
config system dns
set dns cache ttl 60
end

Step 2 Enable Auto Update for the Remote Gateway
Since the remote site updates its public IP dynamically, FortiGate should automatically re resolve the hostname.

Log in to FortiGate at headquarters
Go to VPN then IPsec Tunnels
Edit the IPsec Tunnel configuration
Set Remote Gateway to the DDNS hostname instead of the IP
Enable Dynamic DNS
Under Advanced Settings, ensure there is an option to automatically update the gateway when the IP changes
Save the configuration

Step 3 Configure Dead Peer Detection
If FortiGate does not detect the IP change fast enough, Dead Peer Detection can help by automatically resetting the tunnel.

Log in to FortiGate GUI
Go to VPN then IPsec Tunnels
Edit the IPsec Tunnel configuration
Under Phase one advanced options, enable Dead Peer Detection
Set mode to on demand or enabled
Set interval to ten to thirty seconds
Save the configuration

Step 4 Automate Tunnel Restart with a Script
If the problem persists, a scheduled script can restart the tunnel automatically when the public IP changes.

Go to CLI
Create a script to restart the VPN every five minutes if needed
config system auto script
edit restart vpn
set interval 300
set repeat 3
set script diagnose vpn tunnel flush name tunnel name
next
end

Replace tunnel name with the actual tunnel name

Enable the script with the following commands
diagnose debug console timestamp enable
diagnose debug application ike minus one

Step 5 Check Remote Site DDNS Updates
Ensure the remote site correctly updates its DDNS IP address and that FortiGate at headquarters can resolve it.

Check the current IP resolution
execute ping dyndns hostname
If it resolves to the old IP address, DNS is not updating

Clear DNS cache manually if needed
execute clear system dns cache

Expected Result
FortiGate re resolves the remote site new IP address dynamically
IPSec tunnel automatically reconnects after an IP change
No manual restart is needed after public IP renewals

Try these solutions and let me know if you need further adjustments

I don't think that's possible, I have a similar case with AWS and their ip-sec tunnel I use at home on my cable ISP. I had to change the peer IP. It was not a big deal but a pain in the butt. I changed to a FTTH provider, who also uses DHCP but got a static allocation so my IP have not changed.

Wondering if this may be the solution?

Got this hint by support-team

Refresh DDNS IP addresses

When using a public IP that is not assigned to the FortiGate, the FortiGate cannot trigger an update when the IP address changes. The FortiGate can be configured to refresh DDNS IP addresses by periodically checking the DDNS server at an update interval.

To configure FortiGate to refresh DDNS IP addresses in the CLI:

config system ddns
    edit 1
        set use-public-ip enable
        set update-interval <seconds>
    next
end

When update-interval is set to 0:

• For FortiGuard DDNS, the interval is 300 seconds.

• For third part DDNS servers, the interval is assigned by the DDNS server.

https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/685361