Chapter 11 IPsec VPN for FortiOS 5.0 : Dynamic DNS configuration : General configuration steps
  
General configuration steps
When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec phase 1 parameters to establish a secure connection and authenticate the VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec phase 2 parameters and applies the security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed:
Configure the branch_2 FortiGate unit with the dynamic IP address. This unit uses a Local ID string instead of an IP address to identify itself to the remote peer. See “Configure the dynamically-addressed VPN peer”.
Configuring branch_2 VPN tunnel settings
Configuring branch_2 security policies
Configure the fixed-address VPN peer. To initiate a VPN tunnel with the dynamically-addressed peer, this unit must first retrieve the IP address for the domain from the dynamic DNS service. See “Configure the fixed-address VPN peer”.
Configuring branch_1 VPN tunnel settings
Configuring branch_1 security policies