Greetings
I am new to Fortigate and have a lab to connect two sites using IPsec VPN. I have used Sonicwall before and am trying to learn what this type of setup would look like in Fortigate.
So far, I have been able to configure it using the guides and the cookbook with no problems. But with Sonicwall, I could do the VPN tunnel using the Firewall identifier (user-defined name) instead of the wan IP. I saw that FortiGate uses the peer id, but I have to specify the remote wan IP.
This feature in Sonicwall solved the problem of knowing the IP of the remote site since I transported my clients from their remote site to their main site. Still, the internet service belongs to the client, and I often do not have access to know their wan IP to be able to establish the VPN tunnel.
And I'd like to see if there is something similar in Fortigate to perform that type of configuration.
Solved! Go to Solution.
Peer ID is useful in situations where you have multiple VPN tunnels coming from the same source IP and you want to differentiate them.
In your situation—if i understand you correctly— you probably just need to enable dynamic peering on the hub/central Fortigate. And now the remote firewalls can have dynamic/changing IP addresses and will still connect.
Peer ID is useful in situations where you have multiple VPN tunnels coming from the same source IP and you want to differentiate them.
In your situation—if i understand you correctly— you probably just need to enable dynamic peering on the hub/central Fortigate. And now the remote firewalls can have dynamic/changing IP addresses and will still connect.
Thanks
This seems like an very close approach to what we have now. I'm going to test this.
Another question, How many VPN connection of this type of configuration will a Fortigate 601 E support? Spec sheet said 2000 gateway to gateway. Its that correct?
That would be correct. Note this is a maximum value. If you are running other services on the FortiGate you'll have to assume this value is much lower.
@gflemingThank you very much for this information. I was able to get a tunnel between main site and 1 remote site using this configuration. Now i will start to add other remote side to see if this is a solution for us.
Also, can i use OSPF on this type of configuration? I have other lab that i do ospf on ipsec tunnel but since this is a hub/spoke scenario i was wondering if i can do ospf now. I assume it will be like a ospf broadcast?
Yes absolutely possible. You will need to assign an IP address on the tunnel interfaces so they can communicate with each other. And it'll be a point-to-point network, no broadcast.
Hi, i don't know if you remember this case we talked a while ago. Im having trouble establishing ospf over the vpn tunnel interface, using the ipsec dialup guide and the ospf over ipsec guide that you provided me.
The vpn is up and i can ping between the tunnel interfaces but the ospf doesn't come up. Timers and area are the same.
I will appreciate any help you can provide
Thanks
Could be a number of things. Did you configure it exactly like the guide?
What are your Phase2 selectors? Are you using auto-negotiate?
Can you show output of "show router ospf" and "show vpn ipsec phase2-interface"?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.