fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Dynamic DNS configuration Dynamic DNS topology<br />
The default configuration is to accept all local IDs (peer IDs). If you have the Local ID set,<br />
the remote end of the tunnel must be configured to accept your Local ID.<br />
To accept a specific Peer ID<br />
1 Go to VPN > IPsec > Auto Key (IKE).<br />
2 Select Create New Phase 1.<br />
3 Select Aggressive mode.<br />
4 For Peer Options, select Accept this peer ID. This option becomes visible only when<br />
Aggressive mode is selected.<br />
5 Enter the string the other end of the tunnel used for its Local ID.<br />
6 Configure the rest of the Phase 1 entry as required.<br />
7 Select OK.<br />
Route-based or policy-based VPN<br />
Dynamic DNS topology<br />
VPN over dynamic DNS can be configured with either route-based or policy-based VPN<br />
settings. Both are valid, but have differences in configuration. Choose the best method<br />
based on your requirements. For more information on route-based and policy-based, see<br />
“Types of VPNs” on page 21.<br />
Route-based VPN configuration requires two security policies to be configured (one for<br />
each direction of traffic) to permit traffic over the VPN virtual interface, and you must also<br />
add a static route entry for that VPN interface or the VPN traffic will not reach its<br />
destination. See “Creating branch_2 route-based security policies” on page 107 and<br />
“Creating branch_1 route-based security policies” on page 112.<br />
Policy-based VPN configuration uses more complex and often more IPsec security<br />
policies, but does not require a static route entry. It has the benefit of being able to<br />
configure multiple policies for handling multiple protocols in different ways, such as more<br />
scanning of less secure protocols or guaranteeing a minimum bandwidth for protocols<br />
such as VoIP. See “Creating branch_2 policy-based security policies” on page 109 and<br />
“Creating branch_1 policy-based security policies” on page 113<br />
In this scenario, two branch offices each have a FortiGate unit and are connected in a<br />
gateway-to-gateway VPN configuration. One FortiGate unit has a domain name<br />
(example.com) with a dynamic IP address. See branch_2 in Figure 13.<br />
Whenever the branch_2 unit connects to the Internet (and possibly also at predefined<br />
intervals set by the ISP), the ISP may assign a different IP address to the FortiGate unit.<br />
The unit has its domain name registered with a dynamic DNS service. The branch_2 unit<br />
checks in with the DDNS server on a regular basis, and that server provides the DNS<br />
information for the domain name, updating the IP address from time to time. Remote<br />
peers have to locate the branch_2 FortiGate unit through a DNS lookup each time to<br />
ensure the address they get is current and correct.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 103<br />
http://docs.fortinet.com/