BGP over dynamic IPsec
The following example shows how to create a dynamic IPsec VPN tunnel that allows BGP.
Configuring IPsec on FortiGate 1
- Go to Policy & Objects > Addresses and select create new Address.
| Name | Remote_loop_int |
| Type | Subnet |
| Subnet/IP Range | 10.10.10.10 |
| Interface | any |
- Create an Address Group.
| Group Name | VPN_DST |
| Show in Address List | enable |
| Members | Remote_loop_int
all |
- Go to Dashboard and enter the CLI Console widget.
- Create phase 1:
config vpn ipsec phase1-interface edit Dialup set type dynamic set interface wan1 set mode aggressive set peertype one set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set peerid dial set assign-ip disable set psksecret
next
end
- Create phase 2:
config vpn ipsec phase2-interface edit dial_p2 set phase1name Dialup set proposal 3des-sha1 aes128-sha1 set src-addr-type name set dst-addr-type name set src-name all set dst-name VPN_DST next
BGP over dynamic IPsec
end
Configuring BGP on FortiGate 1
- Go to Network > Interfaces and create a Loopback interface.
- Set IP/Network Mask to 20.20.20/255.255.255.255.
- Go to Dashboard and enter the CLI Console widget.
- Create a BGP route.
config router bgp set as 100 set router-id 1.1.1.1 config neighbor edit 10.10.10.10 set ebgp-enforce-multihop enable set remote-as 200 set update-source loop
next
end
config redistribute connected set status enable
end
end
Adding policies on FortiGate 1
- Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces. 2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.
Configuring IPsec on FortiGate 2
- Go to Dashboard and enter the CLI Console widget.
- Create phase 1:
config vpn ipsec phase1-interface edit Dialup set interface wan1 set mode aggressive set mode-cfg enable
set proposal 3des-sha1 aes128-sha1 set localid dial set remote-gw 172.20.120.22 set assign-ip disable set psksecret
next
end
- Create phase 2:
config vpn ipsec phase2-interface edit dial_p2 set phase1name Dialup
set proposal 3des-sha1 aes128-sha1 set keepalive enable
next end
BGP over dynamic IPsec
Configuring BGP on FortiGate 2
- Go to Network > Interfaces and create a Loopback interface.
- Set IP/Network Mask to 10.10.10/255.255.255.255.
- Go to Dashboard and enter the CLI Console
- Create a BGP route.
config router bgp set as 200 set router-id 1.1.1.2 config neighbor edit 20.20.20.20 set ebgp-enforce-multihop enable set remote-as 100 set update-source loop
next
end
config redistribute connected set status enable
end
end
Adding policies on FortiGate 2
- Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces. 2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.
Adding a static route on FortiGate 2
Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.
| Destination IP/Mask | 20.20.20.20/255.255.255.255 |
| Device | Dialup |
| Administrative Distance | 10 |
Verifying the tunnel is up
Go to Monitor > IPsec Monitor to verify that the tunnel is Up.
Results
- From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
- From FortiGate 1, go to Dashboard.
- Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary
BGP over dynamic IPsec
- From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
- From FortiGate 2, go to Dashboard.
- Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary