BGP over dynamic IPsec

BGP over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

Configuring IPsec on FortiGate 1

  1. Go to Policy & Objects > Addresses and select create new Address.
Name Remote_loop_int
Type Subnet
Subnet/IP Range 10.10.10.10
Interface any
  1. Create an Address Group.
Group Name VPN_DST
Show in Address List enable
Members Remote_loop_int

all

  1. Go to Dashboard and enter the CLI Console widget.
  2. Create phase 1:

config vpn ipsec phase1-interface edit Dialup set type dynamic set interface wan1 set mode aggressive set peertype one set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set peerid dial set assign-ip disable set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2 set phase1name Dialup set proposal 3des-sha1 aes128-sha1 set src-addr-type name set dst-addr-type name set src-name all set dst-name VPN_DST next

BGP over dynamic IPsec

end

Configuring BGP on FortiGate 1

  1. Go to Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 20.20.20/255.255.255.255.
  3. Go to Dashboard and enter the CLI Console widget.
  4. Create a BGP route.

config router bgp set as 100 set router-id 1.1.1.1 config neighbor edit 10.10.10.10 set ebgp-enforce-multihop enable set remote-as 200 set update-source loop

next

end

config redistribute connected set status enable

end

end

Adding policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces. 2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Configuring IPsec on FortiGate 2

  1. Go to Dashboard and enter the CLI Console widget.
  2. Create phase 1:

config vpn ipsec phase1-interface edit Dialup set interface wan1 set mode aggressive set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set localid dial set remote-gw 172.20.120.22 set assign-ip disable set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2 set phase1name Dialup

set proposal 3des-sha1 aes128-sha1 set keepalive enable

next end

BGP over dynamic IPsec

Configuring BGP on FortiGate 2

  1. Go to Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 10.10.10/255.255.255.255.
  3. Go to Dashboard and enter the CLI Console
  4. Create a BGP route.

config router bgp set as 200 set router-id 1.1.1.2 config neighbor edit 20.20.20.20 set ebgp-enforce-multihop enable set remote-as 100 set update-source loop

next

end

config redistribute connected set status enable

end

end

Adding policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces. 2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Adding a static route on FortiGate 2

Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask 20.20.20.20/255.255.255.255
Device Dialup
Administrative Distance 10

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
  2. From FortiGate 1, go to Dashboard.
  3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

 

BGP over dynamic IPsec

  1. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
  2. From FortiGate 2, go to Dashboard.
  3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.