Skip to main content
smayank
Staff
smayank
Staff
September 26, 2025

Technical Tip: Setting up BGP using loopback over IPsec (site to site)

  • September 26, 2025
  • 0 replies
  • 3329 views
Description This article describes the configuration of BGP neighborship using a loopback interface over IPsec (site-to-site).
Scope FortiGate.
Solution

Topology:

 

BGP Top.png

 

Configuration on ISP1:

Loopback interface configuration:

       

config system interface
    edit "BGP-Loopback"
        set vdom "root"
        set ip 172.16.1.1 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 17
        set ip-managed-by-fortiipam disable
    next
end

 

VPN configuration:

Phase 1 configuration:

config vpn ipsec phase1-interface
    edit "IPSEC"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set exchange-interface-ip enable
        set exchange-ip-addr4 172.16.1.1
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384         chacha20poly1305-prfsha256
        set dhgrp 20 21
        set transport udp
        set remote-gw 10.109.19.199
    next
end

 

Phase 2 configuration:

config vpn ipsec phase2-interface
    edit "IPSEC"
        set phase1name "IPSEC"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm         chacha20poly1305
        set dhgrp 20 21
        set comments "VPN: IPSEC <----- Created by VPN wizard.
        set src-addr-type name
        set dst-addr-type name
        set src-name "IPSEC_local"
        set dst-name "IPSEC_remote"
    next
        edit "BGP"
            set phase1name "IPSEC"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 20 21
            set src-subnet 172.16.1.1 255.255.255.255
            set dst-subnet 172.16.1.2 255.255.255.255
        next
end

In this example, two Phase-2 configurations are present: one labeled 'IPSEC' for handling interesting traffic, and another labeled 'BGP' for exchanging BGP-related traffic. It is also possible to configure a single Phase-2 parameter by setting both the source and destination subnets to '0.0.0.0', which allows all traffic to pass through.

 

BGP configuration:

 

config router bgp
    set as 100
        config neighbor
            edit "172.16.1.2"
                set capability-graceful-restart enable
                set remote-as 200
                set update-source "BGP-Loopback"
            next
        end

 

Policy configuration: 

The policy must be configured to allow BGP traffic from the IPsec tunnel to the loopback interface on both FortiGates.

 

config firewall policy

    edit 0

        set name "Loopback"

        set srcintf "IPSEC"

        set dstintf "BGP-Loopback"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "BGP"

    next

end

 

Configuration on ISP-2:

 

Loopback configuration:

 

config system interface
    edit "BGP-Loopback"
        set vdom "root"
        set ip 172.16.1.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
    next
end

 

VPN Configuration:

Phase 1 configuration:

 

config vpn ipsec phase1-interface
    edit "IPSEC"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set exchange-interface-ip enable
        set exchange-ip-addr4 172.16.1.2
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384         chacha20poly1305-prfsha256
        set dhgrp 20 21
        set transport udp
        set remote-gw 10.109.19.195
    Next
end

 

Phase 2 configuration :

config vpn ipsec phase2-interface
    edit "IPSEC"
        set phase1name "IPSEC"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm         chacha20poly1305
        set dhgrp 20 21
        set comments "VPN: IPSEC -- Created by VPN wizard"
        set src-addr-type name
        set dst-addr-type name
        set src-name "IPSEC_local"
        set dst-name "IPSEC_remote"
    next
    edit "BGP"
        set phase1name "IPSEC"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 20 21
        set src-subnet 172.16.1.2 255.255.255.255
        set dst-subnet 172.16.1.1 255.255.255.255
    next
end

 

BGP configuration:

 

config router bgp
    set as 200
        config neighbor
            edit "172.16.1.1"
                set capability-graceful-restart enable
                set remote-as 100
                set update-source "BGP-Loopback"
            next
        end

 

For one FortiGate to know its IPsec neighbor peer, the IP 'exchange-interface-ip' is used to exchange the overlay interface IP addresses between peers. Note that this feature is Fortinet-specific. Refer to Technical Tip: How to use exchange-interface-IP in IPsec Tunnel.

 

'exchange-ip-addr4 [loopback IP address]' is used to inject a static route to this loopback IP address on the peer VPN device. Normally, a static route needs to be configured manually using the loopback IP address to point to the peer. 'exchange-interface-ip enable' is required to use the 'exchange-ip-addr4' command.
    Terms & ConditionsAccessibility statement