FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 14 - IPsec VPN > Dynamic DNS configuration > Configure the fixed-address VPN peer

Configure the fixed-address VPN peer

The fixed-address VPN peer, branch_1, needs to retrieve the IP address from the dynamic DNS service to initiate communication with the dynamically-addressed peer, branch_2. It also depends on the peer ID (local ID) to initiate the VPN tunnel with branch_2.

Configure branch_1, the fixed address side

Configuring the fixed-address VPN peer includes:

Configuring branch_1 VPN tunnel settings

Define the Phase 1 parameters needed to establish a secure connection with the remote peer. For more information, see Phase 1 parameters.

To configure branch_1 Phase 1 VPN settings
  1. Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Enter the following information and select OK.
Name Enter branch_1. A name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway Select Dynamic DNS. The remote peer this FortiGate is connecting to has a dynamic IP address.
Dynamic DNS Type the fully qualified domain name of the remote peer (for example, example.com).
Interface Select wan1. The public facing interface on the fixed-address FortiGate unit.
Mode Select Aggressive.
Peer Options Select This peer ID, and enter example.com. This option only appears when the mode is set to Aggressive. The identifier of the FortiGate unit with the dynamic address.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters. Enter these settings in particular:
Name Enter branch_1_p2. A name to identify this Phase 2 configuration.
Phase 1 Select branch_1.

The name of the Phase 1 configuration that you defined for the remote peer. You can select the name of the remote gateway from the Dynamic DNS part of the list.

Configuring branch_1 security policies

The branch_1 FortiGate unit has a fixed IP address and will be connecting to the branch_2 FortiGate unit that has a dynamic IP address and a domain name of example.com. Remember if you are using route-based security policies that you must add a route for the VPN traffic.

Defining address ranges for branch_1 security policies

As with branch_2 previously, branch_1 needs address ranges defined as well. See Defining VPN security policies.

  1. Go to Policy & Objects > Objects > Addresses.
  2. Select Create New.
  3. Enter the following information, and select OK.
Name Enter branch_2_internal. A meaningful name for the private network behind the branch_2 FortiGate unit.
Type Select Subnet.
Subnet / IP Range Enter 10.10.10.0/24. Include the netmask or specify a specific range.
Interface Select internal. This is the interface on this FortiGate unit that will be handling with this traffic.
  1. Define an address name for the IP address and netmask of the private network behind the remote peer.
  2. Select Create New.
  3. Enter the following information, and select OK.
Name Enter branch_1_internal. A meaningful name for the private network behind the branch_1 peer.
Type Select Subnet.
Subnet / IP Range Enter 192.168.1.0/24. Include the netmask or specify a specific range.
Interface Select any. The interface on this FortiGate unit that will be handling with this traffic. If you are unsure, or multiple interfaces may be handling this traffic use any.

Creating branch_1 route-based security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses. See Defining VPN security policies.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the following information, and select OK.
Incoming Interface Select internal. The interface that connects to the private network behind the branch_1 FortiGate unit.
Source Address Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Outgoing Interface Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Destination Address Select branch_2_internal. The address name that you defined for the private network behind the branch_2 peer.
Action Select ACCEPT.
Enable NAT Disable
Comments Internal -> branch2

To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.

  1. Select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the following information, and select OK.
Incoming Interface Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Source Address Select branch_2_internal. The address name that you defined for the private network behind the branch_2 remote peer.
Outgoing Interface Select internal. The interface that connects to the private network behind this FortiGate unit.
Destination Address Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Action Select ACCEPT.
Enable NAT Disable
Comments branch_2 -> Internal

Creating branch_1 policy-based security policies

A policy-based security policy allows you the flexibility to allow inbound or outbound traffic or both through this single policy.

This policy-based IPsec VPN security policy allows both inbound and outbound traffic

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Enter the following information, and select OK.
Incoming Interface Select internal. The interface that connects to the private network behind this FortiGate unit.
Source Address Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Outgoing Interface Select wan1. The FortiGate unit’s public interface.
Destination Address Select branch_2_internal. The address name that you defined for the private network behind the remote peer.
VPN Tunnel Select Use Existing and select branch_1 from the drop-down list.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.
  1. Place this security policy in the policy list above any other policies having similar source and destination addresses.
 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy