Protecting OSPF with IPsec

Protecting OSPF with IPsec

For enhanced security, OSPF dynamic routing can be carried over IPsec VPN links. The following topics are included in this section:

Configuration overview

This chapter shows an example of OSPF routing conducted over an IPsec tunnel between two FortiGate units. The network shown below is a single OSPF area. FortiGate_1 is an Area border router that advertises a static route to 10.22.10.0/24 in OSPF. FortiGate_2 advertises its local LAN as an OSPF internal route.

OSPF over an IPsec VPN tunnel

The section Configuration overview describes the configuration with only one IPsec VPN tunnel, tunnel_wan1. Then, the section Configuration overview  describes how you can add a second tunnel to provide a redundant backup path. This is shown above as VPN tunnel “tunnel_wan2”.

Only the parts of the configuration concerned with creating the IPsec tunnel and integrating it into the OSPF network are described. It is assumed that security policies are already in place to allow traffic to flow between the interfaces on each FortiGate unit.

OSPF over IPsec configuration

There are several steps to the OSPF-over-IPsec configuration:

 

  • Configure a route-based IPsec VPN on an external interface. It will connect to a corresponding interface on the other FortiGate unit. Define the two tunnel-end addresses.
  • Configure a static route to the other FortiGate unit.
  • Configure the tunnel network as part of the OSPF network and define the virtual IPsec interface as an OSPF interface.

This section describes the configuration with only one VPN, tunnel_wan1. The other VPN is added in the section Configuration overview on page 197.

Configuring the IPsec VPN

A route-based VPN is required. In this chapter, preshared key authentication is shown. Certificate authentication is also possible. Both FortiGate units need this configuration.

Configuring Phase 1

  1. Define the Phase 1 configuration needed to establish a secure connection with the other FortiGate unit. For more information, see Phase 1 parameters on page 52. Enter these settings in particular:
Name Enter a name to identify the VPN tunnel, tunnel_wan1 for example. This becomes the name of the virtual IPsec interface.
Remote Gateway Select Static IP Address.
IP Address Enter the IP address of the other FortiGate unit’s public (Port 2) interface.
Local Interface Select this FortiGate unit’s public (Port 2) interface.
Mode Select Main (ID Protection).
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. It must match the preshared key on the other FortiGate unit.
Advanced Select Advanced.

Assigning the tunnel end IP addresses

  1. Go to Network > Interfaces, select the virtual IPsec interface that you just created on Port 2 and select Edit. 2. In the IP and Remote IP fields, enter the following tunnel end addresses:
  FortiGate_1 FortiGate_2
IP 10.1.1.1 10.1.1.2
Remote_IP 10.1.1.2 10.1.1.1

These addresses are from a network that is not used for anything else.

Configuring Phase 2

  1. Enter a name to identify this Phase 2 configuration, twan1_p2, for example.
  2. Select the name of the Phase 1 configuration that you defined in Step “Configuration overview” on page 197, tunnel_wan1 for example.

Configuring static routing

You need to define the route for traffic leaving the external interface.

  1. Go to Network > Static Routes, select Create New.
  2. Enter the following information.
Destination IP/Mask Leave as 0.0.0.0 0.0.0.0.
Device Select the external interface.
Gateway Enter the IP address of the next hop router.

Configuring OSPF

This section does not attempt to explain OSPF router configuration. It focusses on the integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.

This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF router ID is set to the loopback interface address.The loopback interface ensures the router is always up. Even though technically the router ID doesn’t have to match a valid IP address on the FortiGate unit, having an IP that matches the router ID makes troubleshooting a lot easier.

The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border router that advertises its static default route. FortiGate_2 advertises its local LAN as an OSPF internal route.

Setting the router ID for each FortiGate unit to the lowest possible value is useful if you want the FortiGate units to be the designated router (DR) for their respective ASes. This is the router that broadcasts the updates for the AS.

Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes will be advertised, and it will not be limited to any specific subnet. For example if this IP address was 10.1.0.0, then only routes that match that subnet will be advertised through this interface in OSPF.

FortiGate_1 OSPF configuration

When configuring FortiGate_1 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.

With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.

Creating the loopback interface

A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.1, you would enter:

config system interface edit lback1 set vdom root set ip 10.0.0.1 255.255.255.255 set type loopback

end

The loopback addresses and corresponding router IDs on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.

Configuring OSPF area, networks, and interfaces – web-based manager
  1. On FortiGate_1, go to Network > OSPF.
  2. Enter the following information to define the router, area, and interface information.
Router ID Enter 10.0.0.1. Select Apply before entering the remaining information.
Advanced Options  
Redistribute Select the Connected and Static check boxes. Use their default metric values.
Areas Select Create New, enter the Area and Type and then select OK.
Area 0.0.0.0
Type Regular
Interfaces Enter a name for the OSPF interface, ospf_wan1 for example.
Name
Interface Select the virtual IPsec interface, tunnel_wan1.
IP 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the IP/Netmask of 1.1.0/255.255.255.0 and an Area of 0.0.0.0. 5. For Networks, select Create New.
  3. Enter the IP/Netmask of 0.0.1/255.255.255.0 and an Area of 0.0.0.0.
  4. Select Apply.
Configuring OSPF area and interfaces – CLI

Your loopback interface is 10.0.0.1, your tunnel ends are on the 10.1.1.0/24 network, and your virtual IPsec interface is named tunnel_wan1. Enter the following CLI commands:

config router ospf set router-id 10.0.0.1 config area edit 0.0.0.0

end config network edit 4 set prefix 10.1.1.0 255.255.255.0

next edit 2 set prefix 10.0.0.1 255.255.255.255

end

config ospf-interface edit ospf_wan1 set cost 10

set interface tunnel_wan1 set network-type point-to-point

end

config redistribute connected set status enable

end

config redistribute static set status enable

end

end

FortiGate_2 OSPF configuration

When configuring FortiGate_2 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.

Configuring FortiGate_2 differs from FortiGate_1 in that three interfaces are defined instead of two. The third interface is the local LAN that will be advertised into OSPF.

With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.

Creating the loopback interface

A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.2, you would enter:

config system interface edit lback1 set vdom root

set ip 10.0.0.2 255.255.255.255 set type loopback

end

The loopback addresses on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.

Configuring OSPF area and interfaces – web-based manager
  1. On FortiGate_2, go to Network > OSPF.
  2. Complete the following.
Router ID 10.0.0.2
Areas Select Create New, enter the Area and Type and then select OK.
Area 0.0.0.0
Type Regular
Interfaces
Name Enter a name for the OSPF interface, ospf_wan1 for example.
Interface Select the virtual IPsec interface, tunnel_wan1.
IP 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the following information for the loopback interface:
IP/Netmask 10.0.0.2/255.255.255.255
Area 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the following information for the tunnel interface:
IP/Netmask 10.1.1.0/255.255.255.255
Area 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the following information for the local LAN interface:
IP/Netmask 10.31.101.0/255.255.255.255
Area 0.0.0.0
  1. Select Apply.
Configuring OSPF area and interfaces – CLI

If for example, your loopback interface is 10.0.0.2, your tunnel ends are on the 10.1.1.0/24 network, your local LAN is 10.31.101.0/24, and your virtual IPsec interface is named tunnel_wan1, you would enter:

config router ospf set router-id 10.0.0.2 config area edit 0.0.0.0

end config network edit 1 set prefix 10.1.1.0 255.255.255.0

next edit 2 set prefix 10.31.101.0 255.255.255.0

next edit 2

 

Creating a redundant configuration

set prefix 10.0.0.2 255.255.255.255

end

config ospf-interface edit ospf_wan1 set interface tunnel_wan1 set network-type point-to-point

end

end

Creating a redundant configuration

You can improve the reliability of the OSPF over IPsec configuration described in the previous section by adding a second IPsec tunnel to use if the default one goes down. Redundancy in this case is not controlled by the IPsec VPN configuration but by the OSPF routing protocol.

To do this you:

  • Create a second route-based IPsec tunnel on a different interface and define tunnel end addresses for it.
  • Add the tunnel network as part of the OSPF network and define the virtual IPsec interface as an additional OSPF interface.
  • Set the OSPF cost for the added OSPF interface to be significantly higher than the cost of the default route.

Adding the second IPsec tunnel

The configuration is the same as in Configuring the IPsec VPN on page 198, but the interface and addresses will be different. Ideally, the network interface you use is connected to a different Internet service provider for added redundancy.

When adding the second tunnel to the OSPF network, choose another unused subnet for the tunnel ends, 10.1.2.1 and 10.1.2.2 for example.

Adding the OSPF interface

OSPF uses the metric called cost when determining the best route, with lower costs being preferred. Up to now in this example, only the default cost of 10 has been used. Cost can be set only in the CLI.

The new IPsec tunnel will have its OSPF cost set higher than that of the default tunnel to ensure that it is only used if the first tunnel goes down. The new tunnel could be set to a cost of 200 compared to the default cost is 10. Such a large difference in cost will ensure this new tunnel will only be used as a last resort.

If the new tunnel is called tunnel_wan2, you would enter the following on both FortiGate units:

config router ospf config ospf-interface edit ospf_wan2 set cost 200 set interface tunnel_wan2 set network-type point-to-point

end end

Redundant OSPF routing over IPsec

This example sets up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection. In this example, the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be called FortiGate 2.

The steps include:

  1. Creating redundant IPsec tunnels on FortiGate 1.
  2. Configuring IP addresses and OSPF on FortiGate 1.
  3. Configuring firewall addresses on FortiGate 1.
  4. Configuring security policies on FortiGate 1.
  5. Creating redundant IPsec tunnels for FortiGate 2.
  6. Configuring IP addresses and OSPF on FortiGate 2.
  7. Configuring firewall addresses on FortiGate 2.
  8. Configuring security policies on FortiGate 2.

Creating redundant IPsec tunnels on FortiGate 1

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template). Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 2’s wan1 IP
Local Interface wan1 (the primary Internet-facing interface)
Pre-shared Key Enter
  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
  3. Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 2’s wan2 IP
Local Interface wan2 (the secondary Internet-facing interface)
Pre-shared Key Enter

Configuring IP addresses and OSPF on FortiGate 1

  1. Go to Network > Interfaces.
  2. Select the arrow for wan1 to expand the list.

Redundant OSPF routing over

  1. Edit the primary tunnel interface and create IP addresses.
IP 10.1.1.1
Remote IP 10.1.1.2
  1. Select the arrow for wan2 to expand the list.
  2. Edit the secondary tunnel interface and create IP addresses.
IP 10.2.1.1
Remote IP 10.2.1.2
  1. Go to Network > OSPF and enter the Router ID for FortiGate 1.
  2. Select Create New in the Area
  3. Add the backbone area of 0.0.0.
  4. Select Create New in the Networks
  5. Create the networks and select Area 0.0.0.0 for each one.
  6. Select Create New in the Interfaces
  7. Create primary and secondary tunnel interfaces.
  8. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 1

  1. Go to Policy & Objects > Addresses.
  2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
  3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy.
  2. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.

Creating redundant IPsec tunnels on FortiGate 2

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template). Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 1’s wan1 IP
Local Interface wan1 (the primary Internet-facing interface)
Pre-shared Key Enter

 

Redundant OSPF routing over IPsec

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
  3. Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 1’s wan1 IP
Local Interface wan2 (the secondary Internet-facing interface)
Pre-shared Key Enter

Configuring IP addresses and OSPF on FortiGate 1

  1. Go to Network > Interfaces.
  2. Select the arrow for wan1 to expand the list.
  3. Edit the primary tunnel interface and create IP addresses.
IP 10.1.1.2
Remote IP 10.1.1.1
  1. Select the arrow for wan2 to expand the list.
  2. Edit the secondary tunnel interface and create IP addresses.
IP 10.2.1.2
Remote IP 10.2.1.1
  1. Go to Network > OSPF and enter the Router ID for FortiGate 2.
  2. Select Create New in the Area
  3. Add the backbone area of 0.0.0.
  4. Select Create New in the Networks
  5. Create the networks and select Area 0.0.0.0 for each one.
  6. Select Create New in the Interfaces
  7. Create primary and secondary tunnel interfaces.
  8. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 2

  1. Go to Policy & Objects > Addresses.
  2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
  3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Redundant OSPF routing over

Configuring security policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy.
  2. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.

Results

  1. Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.
  2. Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select Apply Filter to verify the OSPF route.
  3. Verify that traffic flows via the primary tunnel:
    • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vise versa.
    • From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.
    • From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
  4. The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.
  5. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.
  6. Go to Monitor > IPsec Monitor to verify the status.
  7. Verify the routing table on FortiGate 1 and FortiGate 2.

The secondary OSPF route (with cost = 100) appears on both FortiGate units.

  1. Go to Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
  2. Verify that traffic flows via the secondary tunnel:
    • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind FortiGate 2 and vice versa.
    • From PC1, you should see that the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.
    • From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.

OSPF over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.

Configuring IPsec on FortiGate 1

  1. Go to Dashboard and enter the CLI Console widget 2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up” set type dynamic set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-p2” set phase1name “dial-up” set proposal 3des-sha1 aes128-sha1

next

end

Configuring OSPF on FortiGate 1

  1. Go to Dashboard and enter the CLI Console
  2. Create OSPF route.

config router ospf set router-id 172.20.120.22 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

OSPF over dynamic

Adding policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up to port5.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up

Configuring IPsec on FortiGate 2

  1. Go to Dashboard and enter the CLI Console widget 2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up-client” set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set remote-gw 172.20.120.22 set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-client” set phase1name “dial-up-client” set proposal 3des-sha1 aes128-sha1 set auto-negotiate enable

next

end

Configuring OSPF on FortiGate 2

  1. Go to Dashboard and enter the CLI Console
  2. Create OSPF route.

config router ospf set router-id 172.20.120.15 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

 

OSPF over dynamic IPsec

Adding policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up-client to port5.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up-client

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
  2. From FortiGate 1, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

 

OSPF process 0:

Neighbor      ID Pri State Dead  Time     Address Interface

172.20.120.25 1  Full  /     –   00:00:34 10.10.101.1  dial-up_0

  1. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
  2. From FortiGate 2, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

 

OSPF process 0:

Neighbor      ID Pri State Dead  Time     Address     Interface

172.20.120.22 1  Full  /     –   00:00:30 10.10.101.2  dial-up_client


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.