fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
FortiOS Handbook<br />
Dynamic DNS configuration<br />
This section describes how to configure a site-to-site VPN, in which one FortiGate unit<br />
has a static IP address and the other FortiGate unit has a domain name and a dynamic IP<br />
address.<br />
The following topics are included in this section:<br />
Dynamic DNS over VPN concepts<br />
Dynamic DNS topology<br />
General configuration steps<br />
Configure the dynamically-addressed VPN peer<br />
Configure the fixed-address VPN peer<br />
Testing<br />
Dynamic DNS over VPN concepts<br />
Dynamic DNS (DDNS)<br />
A typical computer has a static IP address and one or more DNS servers to resolve fully<br />
qualified domain names (FQDN) into IP addresses. A domain name assigned to this<br />
computer is resolved by any DNS server having an entry for the domain name and its<br />
static IP address. The IP address never changes or changes only rarely so the DNS<br />
server can reliably say it has the correct address for that domain all the time.<br />
It is different when a computer has a dynamic IP address, such as an IP address<br />
assigned dynamically by a DHCP server, and a domain name. Computers that want to<br />
contact this computer do not know what its current IP address is. To solve this problem<br />
there are dynamic DNS servers. These are public servers that store a DNS entry for your<br />
computer that includes its current IP address and associated domain name. These<br />
entries are kept up to date by your computer sending its current IP address to the<br />
dynamic DNS (DDNS) server to ensure its entry is always up to date. When other<br />
computers want to contact your domain, their DNS gets your IP address from your DDNS<br />
server. To use DDNS servers, you must subscribe to them and usually pay for their<br />
services.<br />
When configuring DDNS on your FortiGate unit, go to System > Network > DNS and<br />
enable Use DDNS. Then select the interface with the dynamic connection, which DDNS<br />
server you have an account with, your domain name, and account information. If your<br />
DDNS server is not on the list, there is a generic option where you can provide your<br />
DDNS server information.<br />
Routing<br />
When an interface has some form of changing IP address (DDNS, PPPoE, or DHCP<br />
assigned address), routing needs special attention. The standard static route cannot<br />
handle the changing IP address. The solution is to use the dynamic-gateway command in<br />
the CLI. Say for example you already have four static routes, and you have a PPPoE<br />
connection over the wan2 interface and you want to use that as your default route.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 101<br />
http://docs.fortinet.com/