Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tweesiee
New Contributor III

Issue with IPSec VPN

Hi. 

I have a question regarding IPSec VPN.

We have a customer that is currently in the process of switching from an ASA 5505 to a FG-40F-3G4G, both physical on-prem.
They have an IPSec VPN as of right now, which we use to access thier enviroment to make regular maintenance. 
With this, they will also replace their physical server which they host two VM's on (App and DB) with two VM's hosted in our cloud service along with another virtual firewall (PfSense) hosted in the same cloud. 

My question is, they have a public ISP with a dynamic public IP address and this in turns makes it hard for us to setup IPSec VPN on the FortiGate. 
Is it best to make the PfSense an OpenVPN client and make a OpenVPN connection to the FortiGate, or is there a better way to do this?

If more information is needed, feel free to ask and thank you for all the answers. 

Kind regards

1 Solution
gfleming
Staff
Staff

How did it work on the ASA before?

 

The other commenter has given good info too, just set up FortiDDNS so that you can connect to the IPSec using DNS. It works fine on 7.2.4.

Cheers,
Graham

View solution in original post

9 REPLIES 9
sw2090
SuperUser
SuperUser

hmm basically it is possible to use a ddns as remote gw in an ipsec on a Fortigate. DDns can be done on the FGT using the fortinet ddns service or several others (however others than fortiddns can only be set up on cli).

Beware that there is a bug in FortiOS IPSec Stack (which TAC acknowledged in a ticket to me): if you use ddns as remote gw and you disable p1 autonegotiation (because this would create dead ends) the ddns inside the ipsec will not be refreshed and vpn will cease to function once the ip changes the first time after setup.

 

What does work fine here instead is not to set it up as site2site tunnel but as dialup ipsec and have the remote site (that doesn't have a static ip) dial in automatically (P2 autonegotiation has to be enabled there). The dialup ipsec does not have to have a remote gw on this side. It just needs to have a remote gw on the side that does dial in.

I use that on the FGT that go to fairs (where mostly there is no static ip) and then do a redundant dial in to shop site. WOrks fine even using sdwan vpn.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
gfleming
Staff
Staff

How did it work on the ASA before?

 

The other commenter has given good info too, just set up FortiDDNS so that you can connect to the IPSec using DNS. It works fine on 7.2.4.

Cheers,
Graham
Tweesiee
New Contributor III

I did not think DDNS was possible in this scenario but it seems to be the way to do this.

Thank you!

Tweesiee
New Contributor III

We used DDNS on the ASA. But as of now everything is hosted on-prem with a single firewall. 
The new setup will contain two Firewalls, one in the cloud and one on-prem. Thats why I did not think DDNS would work here.

huantc
New Contributor II

hi, someone help me.
I am facing a problem, I have already configured ipsec vpn. I am from the admin user side using vpnclient and have vpn to the server successfully. The problem here is that when I stand from the client tracert -d google.com, I don't see going through the gateway or router from the client side, but showing traffic running the gateway and router on the server side. I am in need of a vpn and still use the client side internet connection to access the internet. I want to reduce the bandwidth load for the internet side vpn server

information technology
information technology
gfleming

Split tunneling is what you want.

Cheers,
Graham
sw2090
SuperUser
SuperUser

yeah that's the default behaviour of a vpn without split tunneling. That will change your default route to have all traffic hit the Fortigate to make sure everything is reachable.

If you do not want that you have to enable split tunneling or use seperate p2 selectors. 

Split tunneling might be easier because you just enable it and add ana ddressgroup containing all subnet(s) you want to be able to reach over the vpn and it will push a route to each one to the client instead of changing the default route.

Of course you still will need policies to allow the traffic :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
huantc
New Contributor II

yes, split tunnel to be exact, I don't seem to understand split tunnel very well. do i have to create additional Address subnet classes from client with subnet type? Thank you so much for taking the time to advise me.

information technology
information technology
sw2090
SuperUser
SuperUser

yo only need to create them if they don't already exist. If you allready have them because you need them in policies you can re-use those. Just create an address group and add them in there because you can only have one address object in the split tunneling settings.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors