use DDNS to solve the dnynamic IP in L2tp over IPSEC

【ProblemDescription】

Aftercommunicate with L1 engineer by email. at 2018-4-11  15:30 time, the problem is Hi,Our ISP is providing dynamic IP but we need VPN for our remote users to access or network, please let us know how can do that? can we use FQDN on our firewall USG 6370?  , L1 wants to asap reslove, solution shouldbe supplied before 2018-4-20.

【ProblemAnalysis】

         About thecustomer topology like below screenshots:

Firstplease understand the solution:

1. Terminal must access the USG, then can do L2TPover IPSec. Below link is configuration procedure L2TP over IPSec:

   http://support.huawei.com/hedex/pages/EDOC1000154459AEG0822T/05/EDOC1000154459AEG0822T/05/resources/admin/sec_ngfw_case_0083.html?ft=0&fe=10&hib=6.11.2.12.3.11&id=sec_ngfw_case_0083&text=Web%3A%20Example%20for%20Configuring%20L2TP%20over%20IPSec%20to%20Allow%20Mobile%20Users%20to%20Access%20the%20Headquarters%20Using%20iOS%20Terminals&docid=EDOC1000154459

   Attention: terminal server is the DDNS domainname .

2. Because the IP on modem is dynamic , so weshould use DDNS to binding a domain name ,let terminal can use a domain name(like xxxx.com) to access the modem;

   Below link is configuration procedure DDNS(the last stepBound Interface just binding the uplink interface to modem):

   http://support.huawei.com/hedex/pages/EDOC1000154459AEG0822T/05/EDOC1000154459AEG0822T/05/resources/admin/sec_admin_network_dns_0021.html?ft=0&fe=10&hib=6.6.10.5.5&id=sec_admin_network_dns_0021&text=Configuring%20DDNS&docid=EDOC1000154459

3、ThenModem must  do destination NAT make the public IP to access USG;

Abovethree point is the solution to use DDNS to access L2TP over IPSec ,

And weshould make sure of below:

1、modemmust support destination NAT(like command “nat server” on USG)

2、customershould application account for DDNS

3、configurecorrectly L2TP over IPSec on USG.

【Root Cause】

         Because thepublic IP is dynamic , we  can use DDNS to binding the outbound interface,then the phone user can access l2tp over IPsec use a domain name ,.

【SolutionDescription】

• FQDNwe tested it and not valid solution

• Toovercome this issue we need use Hostname instead

• Weneed DDNS to update the hostname (xxx.com) with dynamic public IP

• ISP Modem must be able to do destination NAT

• Similarto server mapping on Firewall below <here>

• If this function is not supported from ISPmodem then solution is not applicable

  nat server policy_web 0 protocol tcp globalinterface GigabitEthernet1/0/1 www inside 10.1.1.3 8080

• You have to subscribe with DDNS third partycompany to publish the dynamic public and to be update the hostname

•  Anexample here for DDNS

• L2tpover IPSEC configuration won’t change as the documentation here

• Onlythe mobile will change the configuration