Skip to main content
chambersb7
chambersb7
New Member
July 6, 2020
Solved

Redistribute Interface IP in OSPF

  • July 6, 2020
  • 1 reply
  • 5457 views

So here's my conundrum. I have 3 sites all with a private fiber connection to our network provider's datacenter, where they carved off a VDOM just for us to use. We run OSPF on a vlan between the 4 sites (network provider datacenter and 3 locations). I had a failover event this weekend where the circuit failed at the main site and it started running through the secondary site.

 

Everything was fine except for the traffic to the firewall itself, which means nobody was able to auth to the SSL VPN at the main site because the core switch at our main site saw the /24 as a connected VLAN and didn't have any way to hit the Fortigate IP directly anymore. My thought is why can't I redistribute a /32 to the Fortigate LAN IP through OSPF to make sure that fails over automatically. But I can't find anything on that anywhere. 

 

I did see about redistributing a loopback through OSPF, but I can't get the SSLVPN auth to originate from a loopback interface as far as I can tell. So if anyone can tell me a way to redistribute that /32 interface IP or if there's another way to get this working otherwise, I would greatly appreciate it.

 

Thank you very much.

Best answer by lobstercreed

Ah, no, my auth originates from my management IP but I believe you can set it to originate from the IP of another interface by using the command set source-ip in your RADIUS config.

 

Here is an article about that:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127

 

And here is one that may help if you're using LDAP (I'm not familiar with using that for VPN):

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38942

1 reply

lobstercreed
lobstercreed
New Member
July 13, 2020

You absolutely can use a loopback for the SSL-VPN.  Not sure I follow how it solves all this, but I know that can be done because I do it to solve multi-homed internet connections.  I use an IP from my BGP-advertised space and created a VIP to point to the loopback interface where the SSL-VPN is listening.

chambersb7
chambersb7Author
New Member
July 14, 2020

So let me just make sure I'm understanding your setup. 

 

You have a VIP for a public IP, let's just say it's 1.1.1.1 pointing to a loopback interface internal like 172.16.1.1 and then your LDAP/RADIUS or other auth server sees the SSLVPN traffic and SSLVPN auth traffic originating from 172.16.1.1?

lobstercreed
lobstercreedAnswer
New Member
July 14, 2020

Ah, no, my auth originates from my management IP but I believe you can set it to originate from the IP of another interface by using the command set source-ip in your RADIUS config.

 

Here is an article about that:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127

 

And here is one that may help if you're using LDAP (I'm not familiar with using that for VPN):

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38942

Terms & ConditionsAccessibility statement