OSPF over dynamic IPsec

Leave a reply

OSPF over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.

Configuring IPsec on FortiGate 1

  1. Go to Dashboard and enter the CLI Console widget
  2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up”

set type dynamic set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret

next

end

  1. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-p2”

set phase1name “dial-up” set proposal 3des-sha1 aes128-sha1

next

end

Configuring OSPF on FortiGate 1

  1. Go to Dashboard and enter the CLI Console
  2. Create OSPF route.

config router ospf set router-id 172.20.120.22

config area

edit 0.0.0.0 next

end config network

edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected”

set status enable

end

config redistribute “static”

set status enable

end

end

Adding policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up to port5.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up

Configuring IPsec on FortiGate 2

  1. Go to Dashboard and enter the CLI Console widget
  2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up-client” set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set remote-gw 172.20.120.22 set psksecret

next

end

  1. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-client” set phase1name “dial-up-client” set proposal 3des-sha1 aes128-sha1 set auto-negotiate enable

next

end

Configuring OSPF on FortiGate 2

  1. Go to Dashboard and enter the CLI Console
  2. Create OSPF route.

config router ospf set router-id 172.20.120.15 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

Adding policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up-client to port5.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up-client

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
  2. From FortiGate 1, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

OSPF process 0:

Neighbor      ID Pri State Dead Time     Address Interface

172.20.120.25 1 Full  /      – 00:00:34 10.10.101.1 dial-up_0

  1. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
  2. From FortiGate 2, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

OSPF process 0:

Neighbor      ID Pri State Dead Time     Address     Interface

172.20.120.22 1 Full  /      – 00:00:30 10.10.101.2 dial-up_client

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.