OSPF over dynamic IPsec

OSPF over dynamic IPsec

This example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.

 

Configuring IPsec on FortiGate 1

1. Go to Dashboard and enter the CLI Console widget

2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up”

set type dynamic

set interface “wan1” set mode-cfg enable

set proposal 3des-sha1 set add-route disable

set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret

next end

3. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-p2”

set phase1name “dial-up”

set proposal 3des-sha1 aes128-sha1 next

end

 

Configuring OSPF on FortiGate 1

1. Go to Dashboard and enter the CLI Console widget.

2. Create OSPF route.

config router ospf

set router-id 172.20.120.22 config area

edit 0.0.0.0 next

end

config network edit 1

set prefix 10.10.101.0 255.255.255.0 next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

 

Adding policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dialup to port5.

2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dialuinterfaces.

 

Configuring IPsec on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget

2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up-client”

set interface “wan1” set mode-cfg enable

set proposal 3des-sha1 set add-route disable

set remote-gw 172.20.120.22 set psksecret

next end

3. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-client”

set phase1name “dial-up-client”

set proposal 3des-sha1 aes128-sha1 set auto-negotiate enable

next end

 

Configuring OSPF on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget.

2. Create OSPF route.

config router ospf

set router-id 172.20.120.15 config area

edit 0.0.0.0 next

end

config network edit 1

set prefix 10.10.101.0 255.255.255.0 next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

 

Adding policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dialupclient to port5.

2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dialupclieninterfaces.

 

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

 

Results

1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.

2. From FortiGate 1, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

OSPF process 0:

Neighbor     ID Pri State Dead Time    Address Interface

172.20.120.25 1 Full /    –  00:00:34 10.10.101.1 dial-up_0

3. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.

4. From FortiGate 2, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

OSPF process 0:

Neighbor     ID Pri State Dead Time    Address    Interface

172.20.120.22 1 Full /    –  00:00:30 10.10.101.2 dial-up_client

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.