hello every one .
recently we faced a problem with fortigate s2s with ADSL connections but , we solved it by changing PORT number and they are working great . thanks for all of you for helping .
the currrent config for SITE A and SITE B is as following :
site A: ADSL router ---> fortigate >vpn>IPSEC >site to site > DDNS B >status : UP and can reach site B network
site B:ADSL router ---->fortigate >vpn>IPSEC >site to site > DDNS A >status : UP and can reach site A network
Now , We are facing new problem which is :
SITE A : As it is with above installation and configuration .
SITE B: changed from ADSL connection to star**bleep** connection and became lik this :
site B:Starlink router ---->fortigate >vpn>IPSEC >site to site > DDNS A >status : Down Tunnel not Connected
.
i know there is NO port forwarding in starlink router and it is using CGNAT unlike ADSL .
i want to know how to solve this problem with the same configuration for both fortigate .
Do i need pfsens in site B to be in between :
Starlink--> pfsens ----(wireguard)---> fortigate -->etc ..
Or any another solutions ???
Thanks
thanks for the like , i will try that tomorrow and give u feedback...
Hello AEK, i tried that but shows me in the tunnel A and B > inactive ,but i can ping the siteA DDNS form siteB and vise versa NOT. only DDNS pinging only not anything else . !!!?? is this normal becoz it is DDNS ?
Hello Morana
I don't think this is due to DDNS. You can confirm if you verify that the DDNS resolves to the real public address of site B.
Anyway you don't need DDNS on site B, right? You need it only for site A and setup your aggressive mode & dialup VPN.
As @AEK showed, at least Site-B (Starlink) side should be able to initiate the tunnel to Site-A with agressive mode/dialup. But you mentioned "changing port". What exactly did you change.
Toshi
hello man
NOT port i mean DNS protocol .
believe me i don't know what i am doing i was just playing around ....
under DNS protocol there is an option :
(DNS UDP/53 protocol ) i enabled it. then it works directly ...
Ok. Did the Site-A FGT get the public IP DDNS A is showing?
Toshi
As @AEK showed, at least Site-B (Starlink) side should be able to initiate the tunnel to Site-A with aggressive mode/dialup.
------------------------------------------------------------------------------------------------
You said with Site B dial up mode should initiate the connection, if i change to :
Remote > From DDNS to > Dial-up
with aggressive mod option .
OK, what about Site A , do i need to change anything else beside NAT traversal and aggressive mode ?
You have to change both sides for IPSec config. That should be in the docs. But Site-A needs to keep DDNS. Because, with agressive mode/dial up, only one side (Site-B:Starlink) initiate the tunnel to the DDNS-A FQDN. While Site-A never initiate because you remove the remote IP/FQDN from the config. Site-A FGT just waits until it gets the connection request from Site-B, then negotiation starts.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.