Redundant OSPF routing over IPsec

Redundant OSPF routing over IPsec

This example sets up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection. In this example, the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be called FortiGate 2.

 

The steps include:

1. Creating redundant IPsec tunnels on FortiGate 1.

2. Configuring IP addresses and OSPF on FortiGate 1.

3. Configuring firewall addresses on FortiGate 1.

4. Configuring security policies on FortiGate 1.

5. Creating redundant IPsec tunnels for FortiGate 2.

6. Configuring IP addresses and OSPF on FortiGate 2.

7. Configuring firewall addresses on FortiGate 2.

8. Configuring security policies on FortiGate 2.

 

Creating redundant IPsec tunnels on FortiGate 1

1. Go to VPN > IPsec Tunnels.

2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).

3. Set the following:

Remote Gateway                          Static IP Address

IP Address                                    FortiGate 2’s wan1 IP

Local Interface                             wan1 (the primary Internet-facing interface)

Preshared Key                            Enter

4. Go to VPN > IPsec Tunnels.

5. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).

6. Set the following:

Remote Gateway                          Static IP Address

IP Address                                    FortiGate 2’s wan1 IP

Local Interface                             wan2 (the secondary Internet-facing interface)

Preshared Key                            Enter

 

Configuring IP addresses and OSPF on FortiGate 1

1. Go to Network > Interfaces.

2. Select the arrow for wan1 to expand the list.

3. Edit the primary tunnel interface and create IP addresses.

IP                                                      10.1.1.1

Remote IP                                        10.1.1.2

4. Select the arrow for wan2 to expand the list.

5. Edit the secondary tunnel interface and create IP addresses.

IP                                                      10.2.1.1

Remote IP                                        10.2.1.2

6. Go to Network > OSPF and enter the Router ID for FortiGate 1.

7. Select Create New in the Area section.

8. Add the backbone area of 0.0.0.0.

9. Select Create New in the Networks section.

10. Create the networks and select Area 0.0.0.0 for each one.

11. Select Create New in the Interfaces section.

12. Create primary and secondary tunnel interfaces.

13. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

 

Configuring firewall addresses on FortiGate 1

1. Go to Policy & Objects > Addresses.

2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.

3. Create/Edit the primary and secondary interfaces of FortiGate 2.

 

Configuring security policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy.

2. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.

Creating redundant IPsec tunnels on FortiGate 2

1. Go to VPN > IPsec Tunnels.

2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).

3. Set the following:

Remote Gateway                          Static IP Address

IP Address                                    FortiGate 1’s wan1 IP

Local Interface                             wan1 (the primary Internet-facing interface)

Preshared Key                            Enter

Redundant OSPF routing over IPsec

4. Go to VPN > IPsec Tunnels.

5. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).

6. Set the following:

Remote Gateway                          Static IP Address

IP Address                                    FortiGate 1’s wan1 IP

Local Interface                             wan2 (the secondary Internet-facing interface)

Preshared Key                            Enter

 

Configuring IP addresses and OSPF on FortiGate 1

1. Go to Network > Interfaces.

2. Select the arrow for wan1 to expand the list.

3. Edit the primary tunnel interface and create IP addresses.

IP                                                      10.1.1.2

Remote IP                                        10.1.1.1

4. Select the arrow for wan2 to expand the list.

5. Edit the secondary tunnel interface and create IP addresses.

IP                                                      10.2.1.2

Remote IP                                        10.2.1.1

6. Go to Network > OSPF and enter the Router ID for FortiGate 2.

7. Select Create New in the Area section.

8. Add the backbone area of 0.0.0.0.

9. Select Create New in the Networks section.

10. Create the networks and select Area 0.0.0.0 for each one.

11. Select Create New in the Interfaces section.

12. Create primary and secondary tunnel interfaces.

13. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

 

Configuring firewall addresses on FortiGate 2

1. Go to Policy & Objects > Addresses.

2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.

3. Create/Edit the primary and secondary interfaces of FortiGate 2.

 

Configuring security policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy.

2. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.

 

Results

1. Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.

2. Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select Apply Filter to verify the OSPF route.

3. Verify that traffic flows via the primary tunnel:

  • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vise versa.
  • From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.
  • From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.

4. The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.

5. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.

6. Go to Monitor > IPsec Monitor to verify the status.

7. Verify the routing table on FortiGate 1 and FortiGate 2.

The secondary OSPF route (with cost = 100) appears on both FortiGate units.

8. Go to Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.

9. Verify that traffic flows via the secondary tunnel:

  • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind FortiGate 2 and vice versa.
  • From PC1, you should see that the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.
  • From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.

 

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.