Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

fortigate ipsec s2s VPN with starlink ?

hello every one .

recently we faced a problem with fortigate s2s with ADSL connections but , we solved it by changing PORT number and they are working great . thanks for all of you for helping .


the currrent config for SITE A and SITE B is as following :

site A: ADSL router ---> fortigate >vpn>IPSEC >site to site  > DDNS B >status : UP and can reach site B network

site B:ADSL router ---->fortigate >vpn>IPSEC >site to site   > DDNS A  >status : UP  and can reach site A network


Now , We are facing new problem which is  :

SITE A : As it is with above installation and configuration .

SITE B: changed from ADSL connection to star**bleep** connection and became lik this :


site B:Starlink router  ---->fortigate >vpn>IPSEC >site to site   > DDNS A  >status : Down Tunnel not Connected


i know there is NO port forwarding in starlink router and it is using CGNAT unlike ADSL .

i want to know how to solve this problem with the same configuration for both fortigate .

Do i need pfsens in site B to be in between :

Starlink--> pfsens ----(wireguard)---> fortigate -->etc ..


Or any another solutions ???





New Contributor

Yes , both showing now ?!

i did something horrible in both routers to make the public IP works !! if the company knows , i will be kicked out  ...


Then it should work.


OK helpful friend

what i understand is this

first ,Site A fortiguard DDNS should be Enabled . then

 i am using wizard  i should do the following :

Site A VPN>ipsec >tunnel >convert to custom tunnel >network edit : then i have to change

REmote Gateway : to Dailup user

authentication       : aggressive

update and save ..

and the rest no need for anything else to change here ?


second site B fortiguard DDNS should be disabled no need as long as ,it will be dial up  .

then :change to

remote gateway : siteA DDNS

update and save ..

no need for anything else ?

if that's all what i need , then i will give it a try and feedback u ASAP .





If you want to use GUI, follow below. It's custom set up on both side. The key is 1) both sides are "mode: aggressive". And at least the client side(B) needs "local id" and server side(A) needs the matching "peer id".
But this KB is not showing how to set up FQDN in the phase1-interface config. But I assume you already know how to do that part in CLI.

Then you need to start sending packets from LAN side of site-B toward the LAN side of site-A to bring up the tunnel.

If it still doesn't come up, you need to run debug "diag debug app ike -1" in CLI then "diag debug enable" to start showing the output on the screen.




Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors