BGP over dynamic IPsec

Leave a reply

BGP over dynamic IPsec

This example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

 

Configuring IPsec on FortiGate 1

1. Go to Policy & Objects > Addresses and select create new Address.

Name                                                Remote_loop_int

Type                                                 Subnet

Subnet/IP Range                             10.10.10.10

Interface                                           any

2. Create an Address Group.

Group Name                                    VPN_DST

Show in Address List                    enable

Members                                          Remote_loop_int all

3. Go to Dashboard and enter the CLI Console widget.

4. Create phase 1:

config vpn ipsec phase1-interface edit Dialup

set type dynamic set interface wan1 set mode aggressive set peertype one

set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set peerid dial

set assign-ip disable set psksecret

next end

5. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2

set phase1name Dialup

set proposal 3des-sha1 aes128-sha1 set src-addr-type name

set dst-addr-type name set src-name all

set dst-name VPN_DST

next

end

 

Configuring BGP on FortiGate 1

1. Go to Network > Interfaces and create a Loopback interface.

2. Set IP/Network Mask to 20.20.20.20/255.255.255.255.

3. Go to Dashboard and enter the CLI Console widget.

4. Create a BGP route.

config router bgp set as 100

set router-id 1.1.1.1 config neighbor

edit 10.10.10.10

set ebgp-enforce-multihop enable set remote-as 200

set update-source loop next

end

config redistribute connected set status enable

end

end

 

Adding policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.

2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

 

Configuring IPsec on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget.

2. Create phase 1:

config vpn ipsec phase1-interface edit Dialup

set interface wan1 set mode aggressive set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set localid dial

set remote-gw 172.20.120.22 set assign-ip disable

set psksecret next

end

3. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2

set phase1name Dialup

set proposal 3des-sha1 aes128-sha1 set keepalive enable

next end

 

BGP over dynamic IPsec

 

Configuring BGP on FortiGate 2

1. Go to Network > Interfaces and create a Loopback interface.

2. Set IP/Network Mask to 10.10.10.10/255.255.255.255.

3. Go to Dashboard and enter the CLI Console widget.

4. Create a BGP route.

config router bgp set as 200

set router-id 1.1.1.2 config neighbor

edit 20.20.20.20

set ebgp-enforce-multihop enable set remote-as 100

set update-source loop next

end

config redistribute connected set status enable

end

end

 

Adding policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.

2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

 

Adding a static route on FortiGate 2

Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask                       20.20.20.20/255.255.255.255

Device                                              Dialup

Administrative Distance                10

 

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

 

Results

1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.

2. From FortiGate 1, go to Dashboard.

3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

4. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.

5. From FortiGate 2, go to Dashboard.

6. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.