Staff

Technical Tip: Dynamic routing (BGP) over IPsec tunnel

Forum|Forum|10 years ago
June 10, 2016
0 replies
97626 views

Description

This article describes the settings required in order to enable dynamic routing (BGP here) over an IPsec static tunnel.

Scope

FortiGate.

Solution

The 'ip' and 'remote-ip' commands must be set for both tunnel interfaces (see diagram below). These IP addresses are used to terminate the tunnel IP connectivity in order to establish BGP (or OSPF) neighbor relationships. Without these commands, the tunnel endpoint is not running IP; hence, BGP is not even trying to establish any TCP session.

The CLI guide states: to use dynamic routing with the tunnel or be able to ping the tunnel interface, specify an address for the remote end of the tunnel in remote-ip and an address for this end of the tunnel in IP. This is only available if the type is tunnel.

Bear in mind that these settings are for tunnels with static IP addresses.

This document will be updated at a later date for the dial-up tunnel.

Extracts of CLI Configuration settings for the left FortiGate (Firewall rules not shown here).

config system interface
edit "port13"
        set vdom "External"
        set ip 10.115.2.97 255.255.240.0
        set type physical
next
edit "Tunnel1"
        set vdom "External"
        set ip 11.11.11.97 255.255.255.255   <-- Use whatever IP is required.
        set type tunnel
        set remote-ip 11.11.11.130 <-- Use whatever IP is required.
        set interface "port13"

config vpn ipsec phase1-interface
    edit "Tunnel1"
        set interface "port13"
        set nattraversal disable
        set remote-gw 10.115.1.130
        set psksecret ENC LCVkCiK2E2PhVUzZe
    next
end

config vpn ipsec phase2-interface
    edit "Tunnel1-P2"
        set phase1name "Tunnel1"
        set keepalive enable
        set auto-negotiate enable
end

config router bgp
set as 65002
set router-id 192.168.1.97
config neighbor
edit "11.11.11.130"
set remote-as 65003
end

Extracts of CLI Configuration settings for the right FortiGate:

config system interface
edit "port2"
        set vdom "root"
        set ip 10.115.1.130 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 2
next
    edit "Tunnel1"
        set vdom "root"
        set ip 11.11.11.130 255.255.255.255 <-- Use whatever IP is required.
        set type tunnel
        set remote-ip 11.11.11.97 <-- Use whatever IP is required.
        set interface "port2"

config vpn ipsec phase1-interface
    edit "Tunnel1"
        set interface "port2"
        set remote-gw 10.115.2.97
        set psksecret ENC LCVkCiK2E2PhVUzZe
    next
end

config vpn ipsec phase2-interface
    edit "Tunnel1-P2"
        set phase1name "Tunnel1"
        set auto-negotiate enable
end

config router bgp
set as 65003
set router-id 192.168.1.130
config neighbor
edit "11.11.11.97"
set remote-as 65002
end

config firewall policy
    edit 3
        set srcintf "Tunnel1"
        set dstintf "port3"
        set action accept
         set service "ALL"
    next
    edit 4
        set srcintf "port3"
        set dstintf "Tunnel1"
        set action accept
        set service "ALL"

Verification of BGP sessions:

FG-Left # get router info bgp neighbor
BGP neighbor is 11.11.11.130, remote AS 65003, local AS 65002, external link
BGP version 4, remote router ID 192.168.1.130
BGP state = Established, up for 00:09:44
.
Connections established 1; dropped 0
Local host: 11.11.11.97, Local port: 179
Foreign host: 11.11.11.130, Foreign port: 1375
Nexthop: 11.11.11.97

FG-Right # get router info bgp neighbor
BGP neighbor is 11.11.11.97, remote AS 65002, local AS 65003, external link
BGP version 4, remote router ID 192.168.1.2
BGP state = Established, up for 00:08:16
.
Connections established 1; dropped 0
Local host: 11.11.11.130, Local port: 1375
Foreign host: 11.11.11.97, Foreign port: 179

Nexthop: 11.11.11.130:
In the above configuration for both FortiGates, the IPsec phase 2 proxy or selector settings are 0.0.0.0; as such, all subnet traffic will be allowed through the tunnel.

For the left FortiGate:

config vpn ipsec phase2-interface

edit "Tunnel1-P2"

set src-subnet 0.0.0.0 0.0.0.0

set dst-subnet 0.0.0.0 0.0.0.0

end

For the right FortiGate:

config vpn ipsec phase2-interface

edit "Tunnel1-P2"

set src-subnet 0.0.0.0 0.0.0.0

set dst-subnet 0.0.0.0 0.0.0.0

end

BGP commands for troubleshooting and verification:

get router info bgp summary

get router info bgp neighbors < neighbor IP>

get router info bgp neighbors < neighbor IP> received-routes / advertised-routes / routes

execute router clear bgp ip < neighbor IP> soft / in / out

get router info bgp network <A.B.C.D/E>

diagnose debug reset

diagnose ip router bgp all enable

diagnose ip router bgp level info

diagnose debug enable

Make sure the debug processes are disabled by using the following commands after collecting the necessary output:

diagnose debug reset

diagnose debug disable

Note:

In BGP on FortiGate, multiple router IDs are not allowed. If a router ID is not manually configured, FortiGate will automatically assign one based on the highest IP address of available loopback or other interfaces.

Related articles:

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip: How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPsec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Tip: OSPF with IPSec VPN for network redundancy

Technical Tip: Dynamic dial-up VPN with OSPF