- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- fortigate ipsec s2s VPN with starlink ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fortigate ipsec s2s VPN with starlink ?
hello every one .
recently we faced a problem with fortigate s2s with ADSL connections but , we solved it by changing PORT number and they are working great . thanks for all of you for helping .
the currrent config for SITE A and SITE B is as following :
site A: ADSL router ---> fortigate >vpn>IPSEC >site to site > DDNS B >status : UP and can reach site B network
site B:ADSL router ---->fortigate >vpn>IPSEC >site to site > DDNS A >status : UP and can reach site A network
Now , We are facing new problem which is :
SITE A : As it is with above installation and configuration .
SITE B: changed from ADSL connection to star**bleep** connection and became lik this :
site B:Starlink router ---->fortigate >vpn>IPSEC >site to site > DDNS A >status : Down Tunnel not Connected
.
i know there is NO port forwarding in starlink router and it is using CGNAT unlike ADSL .
i want to know how to solve this problem with the same configuration for both fortigate .
Do i need pfsens in site B to be in between :
Starlink--> pfsens ----(wireguard)---> fortigate -->etc ..
Or any another solutions ???
Thanks
Labels:
- Labels:
-
FortiGate
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the like , i will try that tomorrow and give u feedback...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello AEK, i tried that but shows me in the tunnel A and B > inactive ,but i can ping the siteA DDNS form siteB and vise versa NOT. only DDNS pinging only not anything else . !!!?? is this normal becoz it is DDNS ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Morana
I don't think this is due to DDNS. You can confirm if you verify that the DDNS resolves to the real public address of site B.
Anyway you don't need DDNS on site B, right? You need it only for site A and setup your aggressive mode & dialup VPN.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @AEK showed, at least Site-B (Starlink) side should be able to initiate the tunnel to Site-A with agressive mode/dialup. But you mentioned "changing port". What exactly did you change.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello man
NOT port i mean DNS protocol .
believe me i don't know what i am doing i was just playing around ....
under DNS protocol there is an option :
(DNS UDP/53 protocol ) i enabled it. then it works directly ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. Did the Site-A FGT get the public IP DDNS A is showing?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @AEK showed, at least Site-B (Starlink) side should be able to initiate the tunnel to Site-A with aggressive mode/dialup.
------------------------------------------------------------------------------------------------
You said with Site B dial up mode should initiate the connection, if i change to :
Remote > From DDNS to > Dial-up
with aggressive mod option .
OK, what about Site A , do i need to change anything else beside NAT traversal and aggressive mode ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to change both sides for IPSec config. That should be in the docs. But Site-A needs to keep DDNS. Because, with agressive mode/dial up, only one side (Site-B:Starlink) initiate the tunnel to the DDNS-A FQDN. While Site-A never initiate because you remove the remote IP/FQDN from the config. Site-A FGT just waits until it gets the connection request from Site-B, then negotiation starts.
Toshi
Related Posts
- Dual WAN remote access IPSec VPN... 145 Views
- How to route ougoing FG traffic... 117 Views
- Fortigate IPsec Two Tunnels running con-currently 273 Views
- IPSec VPN with Azure/Entra mfa 170 Views
- Solution for Article 239709 not working... 181 Views
Labels
-
FortiGate
6,782 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
582 -
FortiAnalyzer
427 -
6.0
416 -
5.6
362 -
FortiSwitch
348 -
FortiAP
348 -
FortiClient EMS
275 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
163 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
88 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
71 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
LDAP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.