FortiOS 5.2 Expert Recipe: OSPF over dynamic IPsec VPN

Source: Internet
Author: User
Keywords OSPF IPsec VPN
Tags forticloud fortios fortinet vpn port fortigate ipsec vpn ospf vpn

1. Configuring IPsec in FortiGate 1

Go to System > Status to look for the CLI Console widget and create phase 1.

config vpn ipsec phase1-interface
    edit "dial-up"
        set type dynamic
        set interface "wan1"
        set mode-cfg enable
        set proposal 3des-sha1
        set add-route disable
        set ipv4-start-ip 10.10.101.0
        set ipv4-end-ip 10.10.101.255
        set psksecret 
    next
end

Create phase 2.

config vpn ipsec phase2-interface
    edit "dial-up-p2"
        set phase1name "dial-up"
        set proposal 3des-sha1 aes128-sha1
    next
end

2. Configuring OSPF in FortiGate 1

Go to System > Status to look for the CLI Console widget and create OSPF route.

config router ospf
    set router-id 172.20.120.22
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.10.101.0 255.255.255.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
        end
end

 3. Adding policies in FortiGate 1

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up to port5.

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up interfaces.

4. Configuring IPSec in FortiGate 2

Go to System > Status to look for the CLI Console widget and create phase 1.

config vpn ipsec phase1-interface
    edit "dial-up-client"
        set interface "wan1"
        set mode-cfg enable
        set proposal 3des-sha1
        set add-route disable
        set remote-gw 172.20.120.22
        set psksecret
    next
end

Create phase 2.

config vpn ipsec phase2-interface
    edit "dial-up-client-p2"
        set phase1name "dial-up-client"
        set proposal 3des-sha1 aes128-sha1
        set auto-negotiate enable
    next
end

5. Configuring OSPF in FortiGate 2

Go to System > Status to look for the CLI Console widget and create OSPF route.

config router ospf
    set router-id 172.20.120.25
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.10.101.0 255.255.255.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
        end
end

6. Adding policies in FortiGate 2

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up-client to port5.

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up-client interfaces.

8. Verifying tunnel is up

Go to VPN > Monitor > IPsec Monitor to verify that the tunnel is Up.

9. Results

From FortiGate 1, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.  

From FortiGate 1, go to System > Status to look for the CLI Console widget and type this command to verify OSPF neighbors.

get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State      Dead Time   Address         Interface
172.20.120.25     1   Full/ -    00:00:34    10.10.101.1     dial-up_0

From FortiGate 2, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.

From FortiGate 2, go to System > Status to look for the CLI Console widget and type this command to verify OSPF neighbors.

get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State   Dead Time   Address      Interface
172.20.120.22     1   Full/ - 00:00:30    10.10.101.2  dial-up-client
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.