FortiOS 6 – Dynamic DNS configuration

Configuration overview

When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec Phase 1 parameters to establish a secure connection and authenticate the VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec Phase 2 parameters and applies the security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed:

 

  • Configure the branch_2 FortiGate unit with the dynamic IP address. This unit uses a Local ID string instead of an IP address to identify itself to the remote peer. See Configuring the dynamically-addressed VPN peer below, which is made up of configuring branch_2’s VPN tunnel settings and security policies.
  • Configure the fixed-address VPN peer. To initiate a VPN tunnel with the dynamically-addressed peer, this unit must first retrieve the IP address for the domain from the dynamic DNS service. See Configuring the fixed-address VPN peer, which is made up of configuring branch_1’s VPN tunnel settings and security policies.

Configuring the dynamically-addressed VPN peer

It is assumed that this FortiGate unit (branch_2) has already had its public facing interface, for example the wan1, configured with the proper dynamic DNS configuration.

Configuring branch_2, the dynamic address side

Define the Phase 1 parameters needed to establish a secure connection with the remote peer. See Phase 1 parameters on page 46. During this procedure you need to choose if you will be using route-based or policy-based VPNs.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
  3. Enter the following information:
  Remote Gateway Select Static IP Address.

The remote peer this FortiGate is connecting to has a static IP public address.

If the remote interface is PPPoE do not select Retrieve default gateway from server.

  IP Address Enter 172.16.20.1, the IP address of the public interface to the remote peer.
Interface Select the Internet-facing interface wan1 (selected by default).  
NAT Traversal Select Enable (selected by default).  
Keepalive Frequency Enter a keepalive frequency (In seconds; set to 10 by default).  
Dead Peer Detection Select a dead peer detection option. On Idle will attempt to reestablish VPN tunnels when a connection becomes idle (the idle interval is not a negotiated value).

Use of periodic dead peer detection incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using On Demand. (set to On Demand by default).

 
  1. Edit Authentication and complete the following:
Mode   Select Aggressive.
  1. Edit Phase 1 Proposal and complete the following:
Local ID Enter example.com.

A character string used by the branch_2 FortiGate unit to identify itself to the remote peer.

This value must be identical to the value in the This peer ID field of the Phase 1 remote gateway configuration on the branch_1 remote peer. See Configuration overview on page 118.

  1. Open the Phase 2 Selectors

Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For details on Phase 2, see Phase 2 parameters on page 66.

  1. Enter the following information and select OK.
Name Automatically entered as the name of the VPN tunnel.
Phase 1 Select branch_2.

The name of the Phase 1 configuration that you defined earlier.

Define security policies to permit communications between the private networks through the VPN tunnel. Routebased and policy-based VPNs require different security policies

After defining the two address ranges, select one of Creating branch_2 route-ased security policies on page 121 or Creating branch_2 policy-based security policies on page 123 to configure the appropriate VPN policies.

Define VPN connection names for the address ranges of the private networks. These addresses are used in the security policies that permit communication between the networks. For more information, see Defining VPN security policies on page 1.

Define an address name for the IP address and netmask of the private network behind the local FortiGate unit.

  1. Go to Policy & Objects > Addresses.
  2. Select Create New.
  3. Enter the following information, and select OK.
Name Enter branch_2_internal. Enter a meaningful name.
Type Select IP/Netmask.
Subnet / IP Range Enter 10.10.10.0/24.

Include the netmask or specify a specific range.

Interface Select internal. The interface that will be handling the traffic from the internal network.

Define an address name for the IP address and netmask of the private network behind the remote peer.

  1. Select Create New.
  2. Enter the following information, and select OK.
Name Enter branch_1_internal. A meaningful name for the private network at the remote end of the VPN tunnel.
Type Select IP/Netmask.
Subnet / IP Range Enter 192.168.1.0/24.

Include the netmask. Optionally you can specify a range

Interface Select any.

The interface that will be handling the remote VPN traffic on this FortiGate unit. If you are unsure, or multiple interfaces may be handling this traffic use any.

Creating branch_2 route-ased security policies

Define ACCEPT security policies to permit communication between the branch_2 and branch_1 private networks. Once the route-based policy is configured a routing entry must be configured to route traffic over the VPN interface.

Define a policy to permit the branch_2 local FortiGate unit to initiate a VPN session with the branch_1 VPN peer.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK.
Name   Enter an appropriate name for the policy.
Incoming Interface Select internal.

The interface that connects to the private network behind this FortiGate unit.

Outgoing Interface Select branch_2. The VPN Tunnel (IPsec Interface).
Source Select branch_2_internal.

Select the address name for the private network behind this FortiGate unit.

Destination Address Select branch_1_internal.

The address name the private network behind the remote peer.

Action Select ACCEPT.
NAT Disable NAT.
Comments Route-based: Initiate a branch_2 to branch_1 VPN tunnel.

Define a policy to permit the branch_1 remote VPN peer to initiate VPN sessions.

  1. Select Create New.
  2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select branch_2. The VPN Tunnel (IPsec Interface).
Outgoing Interface Select internal. The interface connecting the private network behind this FortiGate unit.
Source Select branch_1_internal. The address name for the private network behind the remote peer.
Destination Address Select branch_2_internal. The address name for the private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable NAT.
Comments Route-based: Initiate a branch_1 to branch_2 internal VPN tunnel.
  1. Optionally configure any other security policy settings you require such as UTM or traffic shaping for this policy.
  2. Place these policies in the policy list above any other policies having similar source and destination addresses. This will ensure VPN traffic is matched against the VPN policies before any other policies.
Creating routing entry for VPN interface – CLI

config router static edit 5 set dst 0.0.0.0 0.0.0.0

set dynamic-dateway enable set device wan1

next

end

This routing entry must be added in the CLI because the dynamic-gateway option is not available in the webbased manager.

Creating branch_2 policy-based security policies

Define an IPsec policy to permit VPN sessions between the private networks. Define an IPsec policy to permit the VPN sessions between the local branch_2 unit and the remote branch_1 unit.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select internal. The interface connecting the private network behind this FortiGate unit.
Outgoing Interface Select wan1. The FortiGate unit’s public interface.
Source Select branch_2_internal. The address name for the private network behind this local FortiGate unit.
Destination Address Select branch_1_internal. The address name for the private network behind branch_1, the remote peer.
Action Select IPsec. Under VPN Tunnel, select branch_2 from the drop-down list. The name of the Phase 1 tunnel. Select Allow traffic to be initiated from the remote site.
Comments Policy-based: allows traffic in either direction to initiate the VPN tunnel.
  1. Optionally configure any other security policy settings you require such as UTM or traffic shaping for this policy.
  2. Place these policies in the policy list above any other policies having similar source and destination addresses. This will ensure VPN traffic is matched against the VPN policies before any other policies.

Configuring the fixed-address VPN peer

The fixed-address VPN peer, branch_1, needs to retrieve the IP address from the dynamic DNS service to initiate communication with the dynamically-addressed peer, branch_2. It also depends on the peer ID (local ID) to initiate the VPN tunnel with branch_2.

Define the Phase 1 parameters needed to establish a secure connection with the remote peer. For more information, see Phase 1 parameters on page 46.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit Network (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Enter the following information and select OK.
Remote Gateway Select Dynamic DNS. The remote peer this FortiGate is connecting to has a dynamic IP address.
Dynamic DNS Type the fully qualified domain name of the remote peer (for example, example.com).
Interface Select wan1. The public facing interface on the fixed-address FortiGate unit.
Mode Config Select Aggressive.
Peer Options Select This peer ID, and enter example.com. This option only appears when the mode is set to Aggressive. The identifier of the FortiGate unit with the dynamic address.
  1. Edit Authentication, enter the following information and select OK.
Peer Options Select This peer ID, and enter example.com. This option only appears when the authentication method is set to Signature. The identifier of the FortiGate unit with the dynamic address.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters on page 66. Enter these settings in particular:
Name Enter branch_1_p2. A name to identify this Phase 2 configuration.
Phase 1   Select branch_1.

The name of the Phase 1 configuration that you defined for the remote peer. You can select the name of the remote gateway from the Dynamic DNS part of the list.

The branch_1 FortiGate unit has a fixed IP address and will be connecting to the branch_2 FortiGate unit that has a dynamic IP address and a domain name of example.com. Remember if you are using route-based security policies that you must add a route for the VPN traffic.

Defining address ranges for branch_1 security policies

As with branch_2 previously, branch_1 needs address ranges defined as well. See Defining policy addresses on page 1.

  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Enter the following information, and select OK.
Name Enter branch_2_internal. A meaningful name for the private network behind the branch_2 FortiGate unit.
Type Select IP/Netmask.
Subnet / IP Range Enter 10.10.10.0/24. Include the netmask or specify a specific range.
Interface Select internal. This is the interface on this FortiGate unit that will be handling with this traffic.
  1. Define an address name for the IP address and netmask of the private network behind the remote peer.
  2. Create another address. Enter the following information, and select OK.
Name Enter branch_1_internal. A meaningful name for the private network behind the branch_1 peer.
Type Select IP/Netmask.
Subnet / IP Range Enter 192.168.1.0/24. Include the netmask or specify a specific range.
Interface Select any. The interface on this FortiGate unit that will be handling with this traffic. If you are unsure, or multiple interfaces may be handling this traffic use any.

Creating branch_1 route-based security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses. See Defining VPN security policies on page 1.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select internal. The interface that connects to the private network behind the branch_1 FortiGate unit.
Outgoing Interface Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Source Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Destination Address Select branch_2_internal. The address name that you defined for the private network behind the branch_2 peer.
Action Select ACCEPT.
NAT Disable NAT.
Comments Internal -> branch2

To permit the remote client to initiate communication, you need to define a security policy for communication in that direction.

  1. Select Create New.
  2. Enter the following information, and select OK.
Name Enter an appropriate name for the policy.
Incoming Interface Select branch_1. The VPN Tunnel (IPsec Interface) you configured earlier.
Outgoing Interface Select internal. The interface that connects to the private network behind this FortiGate unit.
Source Select branch_2_internal. The address name that you defined for the private network behind the branch_2 remote peer.
Destination Address Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable NAT.
Comments branch_2 -> Internal

Creating branch_1 policy-based security policies

A policy-based security policy allows you the flexibility to allow inbound or outbound traffic or both through this single policy.

This policy-based IPsec VPN security policy allows both inbound and outbound traffic

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information, and select OK.
Incoming Interface Select internal. The interface that connects to the private network behind this FortiGate unit.
Outgoing Interface Select wan1. The FortiGate unit’s public interface.
Source Select branch_1_internal. The address name that you defined for the private network behind this FortiGate unit.
Destination Address Select branch_2_internal. The address name that you defined for the private network behind the remote peer.
Action Select IPsec. Under VPN Tunnel, select branch_1 from the drop-down list. The name of the Phase 1 tunnel. Select Allow traffic to be initiated from the remote site.
  1. Place this security policy in the policy list above any other policies having similar source and destination addresses.

Results

Once both ends are configured, you can test the VPN tunnel.

To test the VPN initiated by branch_2

  1. On branch_2, go to Monitor > IPsec Monitor.

All IPsec VPN tunnels will be listed on this page, no matter if they are connected or disconnected.

  1. Select the tunnel listed for branch_2, and select the status column for that entry.

The status will say Bring Up and remote port, incoming and outgoing data will all be zero. This indicates an inactive tunnel. When you right-click and select Bring Up, the FortiGate will try to set up a VPN session over this tunnel. If it is successful, Bring Up will change to Active, and the arrow icon will change to a green up arrow icon.

  1. If this does not create a VPN tunnel with increasing values for incoming and outgoing data, you need to start troubleshooting:

To test the VPN initiated by branch_1

  1. On branch_1, go to Monitor > IPsec Monitor.
  2. Select the tunnel listed for branch_1, and select the status column.

The difference between branch_2 and branch_1 at this point is that the tunnel entry for branch-1 will not have a remote gateway IP address. It will be resolved when the VPN tunnel is started.

  1. If this does not create a VPN tunnel with increasing values for incoming and outgoing data, you need to start troubleshooting.

Some troubleshooting ideas include:

  • If there was no entry for the tunnel on the monitor page, check the Auto Key (IKE) page to verify the Phase 1 and Phase 2 entries exist.
  • Check the security policy or policies, and ensure there is an outgoing policy as a minimum. l Check that you entered a local ID in the Phase 1 configuration, and that branch_1 has the same local ID. l Ensure the local DNS server has an up-to-date DNS entry for exmaple.com.

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.