1. Configuring IPsec in FortiGate 1
Go to System > Status to look for the CLI Console widget and create phase 1.
config vpn ipsec phase1-interface
edit "dial-up"
set type dynamic
set interface "wan1"
set mode-cfg enable
set proposal 3des-sha1
set add-route disable
set ipv4-start-ip 10.10.101.0
set ipv4-end-ip 10.10.101.255
set psksecret
next
end
Create phase 2.
config vpn ipsec phase2-interface
edit "dial-up-p2"
set phase1name "dial-up"
set proposal 3des-sha1 aes128-sha1
next
end
2. Configuring OSPF in FortiGate 1
Go to System > Status to look for the CLI Console widget and create OSPF route.
config router ospf
set router-id 172.20.120.22
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.101.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end
end
3. Adding policies in FortiGate 1
Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up to port5.
Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up interfaces.
4. Configuring IPSec in FortiGate 2
Go to System > Status to look for the CLI Console widget and create phase 1.
config vpn ipsec phase1-interface
edit "dial-up-client"
set interface "wan1"
set mode-cfg enable
set proposal 3des-sha1
set add-route disable
set remote-gw 172.20.120.22
set psksecret
next
end
Create phase 2.
config vpn ipsec phase2-interface
edit "dial-up-client-p2"
set phase1name "dial-up-client"
set proposal 3des-sha1 aes128-sha1
set auto-negotiate enable
next
end
5. Configuring OSPF in FortiGate 2
Go to System > Status to look for the CLI Console widget and create OSPF route.
config router ospf
set router-id 172.20.120.25
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.101.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end
end
6. Adding policies in FortiGate 2
Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up-client to port5.
Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up-client interfaces.
8. Verifying tunnel is up
Go to VPN > Monitor > IPsec Monitor to verify that the tunnel is Up.
9. Results
From FortiGate 1, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
From FortiGate 1, go to System > Status to look for the CLI Console widget and type this command to verify OSPF neighbors.
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.20.120.25 1 Full/ - 00:00:34 10.10.101.1 dial-up_0
From FortiGate 2, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
From FortiGate 2, go to System > Status to look for the CLI Console widget and type this command to verify OSPF neighbors.
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.20.120.22 1 Full/ - 00:00:30 10.10.101.2 dial-up-client