Hi there,
need help please. We have 2 FG60D and 2 FG30E.
we like to create VPN IP Sec with these condition:
1. MainBranch, use FG 60D, have internet connection with IP Public Dynamic.
2. other branches, use internet connection with IP Private from internet provider.
Is there specific guidance to create VPN IPSEC between mainbranch and other branches?
thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes that doable. You want dynamic VPN. Since the address is private
you want at branches
peer-id (optional)
NAT-T with keepalive for UDP.4500
aggressive mode
At the main-ofc,
it would be a responder only.
you can run ospf over the interfaces in route-mode
aggressive mode
PCNSE
NSE
StrongSwan
hi Emnoc,
sorry for late reply.
trying to understand you, but seems my knowledge not deep enough.
anyway, may you please give more guidance? perhaps step by step. from there I can more understand.
thank you.
Hi,
use the DDNS Feature from Fortinet in the branch.
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "branch1.fortiddns.com"
set monitor-interface "wan1"
next
end
In the Mainoffice use that Name as VPN Endpoint and set the Type to "Dynamic DNS".
Cheers
Michael
Hi Michael,
thanks for your reply.
as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?
out of question, commercial DDNS like DynDNS also can be applied to this method?
papapuff wrote:as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?
Read "Dynamic DNS over VPN concepts" section in FortiOS Handbook.
Before you get lost...no, dynDNS with a private IP address won't work. How do you route to a private IP address??
So (as emnoc already posted) your branches have to dial-in to the MainBranch (very unlucky name, better use "HQ" or so). The MainBranch/HQ with it's dynamic IP address needs to subscribe to a DynDNS service, the other branches do not need any. Fortinet offers this service for free (as long as you have a valid FortiCare contract) but you could use dyndns.org as well.
And use peer IDs on your branches so that the MainBranch/HQ can determine which one is calling in.
The FortiOS Handbook, ch. "VPN", is an excellent source of information (docs.fortinet.com).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.