BGP over dynamic IPsec
BGP over dynamic IPsec
This example shows how to create a dynamic IPsec VPN tunnel that allows BGP.
Configuring IPsec on FortiGate 1
1. Go to Policy & Objects > Addresses and select create new Address.
Name Remote_loop_int
Type Subnet
Subnet/IP Range 10.10.10.10
Interface any
2. Create an Address Group.
Group Name VPN_DST
Show in Address List enable
Members Remote_loop_int all
3. Go to Dashboard and enter the CLI Console widget.
4. Create phase 1:
config vpn ipsec phase1-interface edit Dialup
set type dynamic set interface wan1 set mode aggressive set peertype one
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1 set peerid dial
set assign-ip disable set psksecret
next end
5. Create phase 2:
config vpn ipsec phase2-interface edit dial_p2
set phase1name Dialup
set proposal 3des-sha1 aes128-sha1 set src-addr-type name
set dst-addr-type name set src-name all
set dst-name VPN_DST
next
end
Configuring BGP on FortiGate 1
1. Go to Network > Interfaces and create a Loopback interface.
2. Set IP/Network Mask to 20.20.20.20/255.255.255.255.
3. Go to Dashboard and enter the CLI Console widget.
4. Create a BGP route.
config router bgp set as 100
set router-id 1.1.1.1 config neighbor
edit 10.10.10.10
set ebgp-enforce-multihop enable set remote-as 200
set update-source loop next
end
config redistribute connected set status enable
end
end
Adding policies on FortiGate 1
1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.
Configuring IPsec on FortiGate 2
1. Go to Dashboard and enter the CLI Console widget.
2. Create phase 1:
config vpn ipsec phase1-interface edit Dialup
set interface wan1 set mode aggressive set mode-cfg enable
set proposal 3des-sha1 aes128-sha1 set localid dial
set remote-gw 172.20.120.22 set assign-ip disable
set psksecret next
end
3. Create phase 2:
config vpn ipsec phase2-interface edit dial_p2
set phase1name Dialup
set proposal 3des-sha1 aes128-sha1 set keepalive enable
next end
BGP over dynamic IPsec
Configuring BGP on FortiGate 2
1. Go to Network > Interfaces and create a Loopback interface.
2. Set IP/Network Mask to 10.10.10.10/255.255.255.255.
3. Go to Dashboard and enter the CLI Console widget.
4. Create a BGP route.
config router bgp set as 200
set router-id 1.1.1.2 config neighbor
edit 20.20.20.20
set ebgp-enforce-multihop enable set remote-as 100
set update-source loop next
end
config redistribute connected set status enable
end
end
Adding policies on FortiGate 2
1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.
Adding a static route on FortiGate 2
Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.
Destination IP/Mask 20.20.20.20/255.255.255.255
Device Dialup
Administrative Distance 10
Verifying the tunnel is up
Go to Monitor > IPsec Monitor to verify that the tunnel is Up.
Results
1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
2. From FortiGate 1, go to Dashboard.
3. Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary
4. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
5. From FortiGate 2, go to Dashboard.
6. Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply