BGP over dynamic IPsec

BGP over dynamic IPsec

This example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

 

Configuring IPsec on FortiGate 1

1. Go to Policy & Objects > Addresses and select create new Address.

Name                                                Remote_loop_int

Type                                                 Subnet

Subnet/IP Range                             10.10.10.10

Interface                                           any

2. Create an Address Group.

Group Name                                    VPN_DST

Show in Address List                    enable

Members                                          Remote_loop_int all

3. Go to Dashboard and enter the CLI Console widget.

4. Create phase 1:

config vpn ipsec phase1-interface edit Dialup

set type dynamic set interface wan1 set mode aggressive set peertype one

set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set peerid dial

set assign-ip disable set psksecret

next end

5. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2

set phase1name Dialup

set proposal 3des-sha1 aes128-sha1 set src-addr-type name

set dst-addr-type name set src-name all

set dst-name VPN_DST

next

end

 

Configuring BGP on FortiGate 1

1. Go to Network > Interfaces and create a Loopback interface.

2. Set IP/Network Mask to 20.20.20.20/255.255.255.255.

3. Go to Dashboard and enter the CLI Console widget.

4. Create a BGP route.

config router bgp set as 100

set router-id 1.1.1.1 config neighbor

edit 10.10.10.10

set ebgp-enforce-multihop enable set remote-as 200

set update-source loop next

end

config redistribute connected set status enable

end

end

 

Adding policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.

2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

 

Configuring IPsec on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget.

2. Create phase 1:

config vpn ipsec phase1-interface edit Dialup

set interface wan1 set mode aggressive set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set localid dial

set remote-gw 172.20.120.22 set assign-ip disable

set psksecret next

end

3. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2

set phase1name Dialup

set proposal 3des-sha1 aes128-sha1 set keepalive enable

next end

 

BGP over dynamic IPsec

 

Configuring BGP on FortiGate 2

1. Go to Network > Interfaces and create a Loopback interface.

2. Set IP/Network Mask to 10.10.10.10/255.255.255.255.

3. Go to Dashboard and enter the CLI Console widget.

4. Create a BGP route.

config router bgp set as 200

set router-id 1.1.1.2 config neighbor

edit 20.20.20.20

set ebgp-enforce-multihop enable set remote-as 100

set update-source loop next

end

config redistribute connected set status enable

end

end

 

Adding policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.

2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

 

Adding a static route on FortiGate 2

Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask                       20.20.20.20/255.255.255.255

Device                                              Dialup

Administrative Distance                10

 

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

 

Results

1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.

2. From FortiGate 1, go to Dashboard.

3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

4. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.

5. From FortiGate 2, go to Dashboard.

6. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.