Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gatorHeel
New Contributor

IPsec VPN (DynDNS to Static) + Dialup

We seem to have an issue when a point-2-point VPN is used in conjunction with a dial-up VPN (on the same IP). Only seems to happen when remote end has DynDNS. We get a pre-shared key mismatch error on the VPN dial interface, even though the request is actually coming from the DynDNS VPN interface. We have a FGT-60C (#1) with fixed public IP XXX.XXX.XXX.XXX. We have another FGT-60C (#2) with a dynamic IP and DynDNS hostname dyn.domain.com. These two devices have IPSec VPN configured, and the #1 unit also has a dial-up configuration enabled. Everything has worked fine in the past, however this seems to be triggered when a new IPsec tunnel is added or there is some type of configuration change. Currently when we have appropriate policies in place for the VPN-dial interface, the DynDNS VPN' s do not work. Take out the policies and now all of the DynDNS policies are functional. In our dialup configuration, we have peer options set to: Accept peer ID in dialup group (group name). FortiOS v4.0 MR2 P14 Any ideas?
3 REPLIES 3
rwpatterson
Valued Contributor III

I have a couple of remote sites using dyndns addresses as well. Works all day long. I do not have any dialup policies though. What ' s the order of the policies? Are the destinations ' any' (sloppy), or just the devices the sources need to see (neat)?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
gatorHeel
New Contributor

Had not thought to check the order of policies, one of the dial-up policies was not last, which I have changed so that it is. Also, I was using " any" as destination, not initially but I think in the process of troubleshooting and removing/recreating the configuration. Now using the subnet of the IPSec DHCP scope for the dial-up interface. Between the two, hopefully this will take care of it once and for all. Currently, the dial-up tunnel is functional and the DynDNS tunnels are up as well. Thank you for your help Bob!
rwpatterson
Valued Contributor III

The old adage of not seeing the forest for the tress is coming to mind. I think we' ve all been there. Glad you' re functional once again.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors