Technical Tip: Announcing SSL VPN address range into OSPF
| Description | This article explains how to advertise an SSL VPN subnet on OSPF through an IPSEC tunnel. |
| Scope | FortiGate. |
| Solution | The user can configure an SSL VPN in one firewall to advertise the SSL VPN subnet route on another firewall during OSPF routing. Follow the instructions below to do this.
Note: Make sure the router ID used in OSPF configuration is routable from another end firewall or router.
1) Add the SSL VPN subnet into the network under an OSPF which advertises its own network.
In the GUI:
In the CLI:
# config router ospf config network edit 1 set prefix 10.212.134.0 255.255.255.0 end
2) Add a static route for the SSL VPN subnet in the same firewall where the SSL VPN is configured:
In the GUI:
In CLI:
# config router static edit 1 set dst 10.212.134.0 255.255.255.0 set device "ssl.root" next end
3) To control the static routes that need to be redistributed to the OSPF, create a prefix list and a route map in the CLI:
# config router prefix-list edit "SSLVPN_PREFIX_LIST" config rule edit 1 set prefix 10.212.134.0 255.255.255.0 end
# config router route-map edit "OSPF_Route_Map" config rule edit 1 set match-ip-address "SSLVPN_PREFIX_LIST" next end
4) Enable Static under Redistribute in the OSPF settings. This is done because the OSPF is not running over the SSL-VPN.
In the GUI:
In the CLI:
# config router ospf config redistribute static set status enable set routemap "OSPF_Route_Map" end
|