Site to Site VPN with Dynamic DNS

jtk
jtk Posts: 20  Freshman Member
First Comment Friend Collector First Anniversary
in Security

hi,

I have been able to set up site-to-siten VPN with dynamic DNS to the point it almost works.

My problem is that for the other site I am not able to set the public address as WAN address. The operator makes a NAT that I can't do anything about. Is there any way to tell the VPN to use Dynamic DNS for the local IP address resolution instead of the WAN address given by the operator through DHCP? If there is, what configurations will be needed?

The log on the site that has the dynamic address behind the operator NAT looks like this:

Kuvakaappaus 2025-09-17 21-29-44.png

The log on the site that has the proper public ip looks like this:

Kuvakaappaus 2025-09-17 21-30-23.png

The log shows that some of the rows show that the other site is able to send a message back (the [auth] line), and some lines show that the target IP is on some of these is the IP behind the NAT (part of IKE SA log lines and The cookie pair line).

All Replies

  • PeterUK
    PeterUK Posts: 4,050  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 18

    If the operator NAT side can't port forward 500 or 4500 the public ip site can be set to Dynamic Address the side that has NAT can then connect out to the site to site with public ip.

  • Zyxel_Tina
    Zyxel_Tina Posts: 227  Master Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 50 Answers First Comment

    Hi @jtk,

    From the logs you shared, it looks like the issue is caused by an IP mismatch because the firewall is behind the uplink NAT router during the VPN negotiation. This leads to a situation where the IPsec negotiation fails and prevents the tunnel from completing successfully.

    Here are two approaches that may help resolve the issue you are facing:

    1. Enable port forwarding on the NAT router (UDP 500 and 4500)
      • IPSec VPN relies on UDP ports 500 (IKE) and 4500 (NAT-T) for tunnel establishment and negotiation.
      • Without these ports being forwarded, the firewall behind NAT can only initiate the connection, but it cannot reliably accept or respond to inbound VPN traffic.
      • By configuring the NAT router to forward UDP 500 and 4500 to your firewall, the device behind NAT can properly receive VPN traffic and behave as if it had the public IP directly.
    2. Assign a public IP directly to the firewall
    • If your ISP provides a public IP range, you can assign one of those public IPs directly to the firewall instead of relying on the NAT router.
    • In this case, the firewall itself will hold the public IP, which eliminates the mismatch between the internal IP and the real public IP.
    • This ensures that VPN negotiation can be completed smoothly without IP identity conflicts.

    Additionally, as @PeterUK suggested, another practical approach is to configure the public IP site with Dynamic Address and always let the firewall behind NAT initiate the VPN connection. This method avoids the need for port forwarding and may be worth trying as well.

    Zyxel Tina

  • jtk
    jtk Posts: 20  Freshman Member
    First Comment Friend Collector First Anniversary

    Thank you for both the answers. It seems that in my case, it is best to select the site behind NAT to be the one that establishes the connection.

    For some reason I can's seem to be able to find the place in Nebula for this setting. Could you please point to a correct instructions or tell in which part of settings it can be found?

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)