OSPF over dynamic IPsec VPN (Expert)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example shows how to create a dynamic IPsec VPN tunnel and allowing OSPF through it.

1. Configuring IPsec in FortiGate 1

Go to System > Status to look for the CLI Console widget and create phase 1.

config vpn ipsec phase1-interface
    edit "dial-up"
        set type dynamic
        set interface "wan1"
        set mode-cfg enable
        set proposal 3des-sha1
        set add-route disable
        set ipv4-start-ip 10.10.101.0
        set ipv4-end-ip 10.10.101.255
        set psksecret
    next
end

Create phase 2.

config vpn ipsec phase2-interface
    edit "dial-up-p2"
        set phase1name "dial-up"
        set proposal 3des-sha1 aes128-sha1
    next
end

2. Configuring OSPF in FortiGate 1

Go to System > Status to look for the CLI Console widget and create OSPF route.

config router ospf
    set router-id 172.20.120.22
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.10.101.0 255.255.255.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
        end
end

 3. Adding policies in FortiGate 1

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up to port5.

 
 

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up interfaces.

 

4. Configuring IPSec in FortiGate 2

Go to System > Status to look for the CLI Console widget and create phase 1.

config vpn ipsec phase1-interface
    edit "dial-up-client"
        set interface "wan1"
        set mode-cfg enable
        set proposal 3des-sha1
        set add-route disable
        set remote-gw 172.20.120.22
        set psksecret
    next
end

Create phase 2.

config vpn ipsec phase2-interface
    edit "dial-up-client-p2"
        set phase1name "dial-up-client"
        set proposal 3des-sha1 aes128-sha1
        set auto-negotiate enable
    next
end

5. Configuring OSPF in FortiGate 2

Go to System > Status to look for the CLI Console widget and create OSPF route.

config router ospf
    set router-id 172.20.120.25
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.10.101.0 255.255.255.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
        end
end

6. Adding policies in FortiGate 2

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up-client to port5.

Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up-client interfaces.

 

8. Verifying tunnel is up

Go to VPN > Monitor > IPsec Monitor to verify that the tunnel is Up.

 

 9. Results

From FortiGate 1, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.   
From FortiGate 1, go to System > Status to look for the CLI Console widget and type this command to verify OSPF neighbors.

get router info ospf neighbor

OSPF process 0:
Neighbor ID     Pri   State      Dead Time   Address         Interface
172.20.120.25     1   Full/ -    00:00:34    10.10.101.1     dial-up_0

From FortiGate 2, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.

 
From FortiGate 2, go to System > Status to look for the CLI Console widget and type this command to verify OSPF neighbors.

get router info ospf neighbor

OSPF process 0:
Neighbor ID     Pri   State   Dead Time   Address      Interface
172.20.120.22     1   Full/ - 00:00:30    10.10.101.2  dial-up-client

For further reading, check out IPsec VPN and Open Shortest Path First (OSPF) in the FortiOS 5.2 Handbook.

 

Taher Elbar

Taher Elbar

Technical Product Specialist at Fortinet
After a Bachelor degree in Telecommunications from university of Geneva, Taher began his career in software development, then moved to System/Network administration followed by Security Support Engineer. With over 10 years of experience, Taher is writing various Technical documentation for Fortinet.
Taher Elbar
  • Was this helpful?
  • Yes   No