vti based VPN with dynamic IP on remote site

jjeziorny · February 1, 2016, 10:34pm

I’m trying to setup an IPSEC tunnel between a VyOS (static IP) and a Fortigate (dynamic IP).
I’ve managed to get a tunnel running using named based peer (@FGT00) but I cannot bind a name based peer to a VTI interface:

[quote]admin@lynx# commit
[ vpn ]
Error: an IP address is expected rather than “@FGT00”
Cannot find device “vti0”
Cannot find device “vti0”

[[vpn]] failed
Commit failed[/quote]

Not sure why, I guess it’s either by design or a bug/missconfig, I’m convinced it’s the former but would like someone to confirm if that is the case.

Any other ideas on how to have an interface mode VPN with a dynamic IP remote peer? I’ve also tried NHRP (had this working agasint a cisco router before) but the fortigate doesn’t seem to support NHRP (even though it supports GRE over IPSEC)

Thanks all

jjeziorny · February 2, 2016, 11:35am

OK, so in the end I got this working by setting up a GRE over VPN. Basically an IPSEC tunnel with a private IP on the interface and a GRE tunnel between those private IPs, which gives me a tun interface on the VyOS where I can route my traffic to.

Would prefer to simply use IPSEC and bind it to a VTI, but seems that is not possible for now.