FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Article Id 193955

Description

 

This article contains the settings required in order to enable dynamic routing (BGP here) over an IPsec static tunnel.
 
Scope
 
FortiGate.


Solution

 

The 'ip' and 'remote-ip' commands must be set for both tunnel interfaces (see diagram below). These IP addresses are used to terminate the tunnel IP connectivity in order to establish BGP (or OSPF) neighboring. Without these commands the tunnel endpoint is not running IP, hence BGP is not even trying to establish any TCP session.

The CLI guide states:  to use dynamic routing with the tunnel or be able to ping the tunnel interface, specify an address for the remote end of the tunnel in remote-ip and an address for this end of the tunnel in IP. This is only available if the type is tunnel.

Bear in mind that these settings are for tunnels with static IP addresses.

This document will be updated at a later date for the dial-up tunnel.

shenry_FD38847_tn_FD38847-1.jpg

Extracts of CLI Configuration setting's for left FortiGate (FW rules not shown here)
 
config system interface
    edit "port13"
        set vdom "External"
        set ip 10.115.2.97 255.255.240.0
        set type physical
next
 edit "Tunnel1"
        set vdom "External"
        set ip 11.11.11.97 255.255.255.255   (use whatever IP is required)
        set type tunnel
        set remote-ip 11.11.11.130           (use whatever IP is required)
        set interface "port13"
------------------------------------------------------------------
config vpn ipsec phase1-interface
    edit "Tunnel1"
        set interface "port13"
        set nattraversal disable
        set remote-gw 10.115.1.130
        set psksecret ENC LCVkCiK2E2PhVUzZe
    next
    end
config vpn ipsec phase2-interface
    edit "Tunnel1-P2"
        set phase1name "Tunnel1"
        set keepalive enable
        set auto-negotiate enable
end
------------------------------------------------------------------
config router bgp
    set as 65002
    set router-id 192.168.1.97
    config neighbor
             edit "11.11.11.130"
             set remote-as 65003
              end

Extracts of CLI Configuration setting for the right FortiGate:
 
config system interface
       edit "port2"
        set vdom "root"
        set ip 10.115.1.130 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 2
next
    edit "Tunnel1"
        set vdom "root"
        set ip 11.11.11.130 255.255.255.255       (use whatever IP is required)
        set type tunnel
        set remote-ip 11.11.11.97                 (use whatever IP is required)
        set interface "port2"
------------------------------------------------------------------
config vpn ipsec phase1-interface
    edit "Tunnel1"
        set interface "port2"
        set remote-gw 10.115.2.97
        set psksecret ENC LCVkCiK2E2PhVUzZe
    next
end
config vpn ipsec phase2-interface
    edit "Tunnel1-P2"
        set phase1name "Tunnel1"
        set auto-negotiate enable
    end
------------------------------------------------------------------
config router bgp
    set as 65003
    set router-id 192.168.1.130
    config neighbor
    edit "11.11.11.97"
    set remote-as 65002
    end
-------------------------------------------------------------------
config firewall policy
    edit 3
        set srcintf "Tunnel1"
        set dstintf "port3"
        set action accept
         set service "ALL"
    next
    edit 4
        set srcintf "port3"
        set dstintf "Tunnel1"
        set action accept
        set service "ALL"

Verification of BGP sessions:
 
FG-Left # get router info bgp neighbor
BGP neighbor is 11.11.11.130, remote AS 65003, local AS 65002, external link
  BGP version 4, remote router ID 192.168.1.130
  BGP state = Established, up for 00:09:44
.
Connections established 1; dropped 0
Local host: 11.11.11.97, Local port: 179
Foreign host: 11.11.11.130, Foreign port: 1375
Nexthop: 11.11.11.97
--------------------------------------------------------------------------
FG-Right # get router info bgp neighbor
BGP neighbor is 11.11.11.97, remote AS 65002, local AS 65003, external link
BGP version 4, remote router ID 192.168.1.2
BGP state = Established, up for 00:08:16
.
Connections established 1; dropped 0
Local host: 11.11.11.130, Local port: 1375
Foreign host: 11.11.11.97, Foreign port: 179

Nexthop: 11.11.11.130 In the above configuration for both FortiGates, the IPsec phase 2 proxy or selector settings are 0.0.0.0, as such all subnet traffic will be allowed through the tunnel.

In the case where the IPsec configuration has specific phase 2 settings that allow traffic in the tunnel for the specified subnet alone, then the corresponding phase 2 must be added with the tunnel interface IPs.  This is explained below using the setup that was given above:

For the left FortiGate:
 
config vpn ipsec phase2-interface
    edit "Tunnel1-P2"
        set src-subnet 11.11.11.97 255.255.255.255
       set dst-subnet 11.11.11.130 255.255.255.255
    end

For the right FortiGate:
 
config vpn ipsec phase2-interface
    edit "Tunnel1-P2"
        set src-subnet 11.11.11.130 255.255.255.255
        set dst-subnet 11.11.11.97 255.255.255.255
    end