Technical Note: How to setup redundant point-to-point IPSec VPN using multi-home BGP links

jmoya · ‎11-05-2014

Description

This article provides an example of how to setup redundant point-to-point IPSec VPN using multi-home BGP links.

Scope

Applies to all FortiOS versions. Publish an IPSec VPN in a multi-homed BGP

Solution

1) Configure multi-homed BGP.
2) Create loopback interface with network address of the own segment.
3) Create firewall policies from internet links to loopback interface.
4) Publish VPN as usual on loopback interface.

Example:

- Public IP segment is: 172.16.254.0/24
- Local networks are 10.0.0.0/8
- ISP providers are on 192.168.35.0/30 and 192.168.36.0/30
- Local AS is 65300

1) Configure multi-homed BGP.

config router bgp
    set as 65300
    set ebgp-multipath enable
        config neighbor
            edit "192.168.35.1"
                set remote-as 65301
            next
            edit "192.168.36.1"
                set remote-as 65302
            next
        end
        config network
            edit 1
                set prefix 172.16.254.0 255.255.255.0
            next
        end
    set router-id 192.168.98.4
end

You can add a route map to block forwarding traffic between internet interfaces (For more information refer to the related KB article 'Technical Note : FortiGate BGP configuration to announce specific routes and accept only a default route (prefix list and route map)')

2) Create loopback interface.

config system interface
    edit "Loopbk"
        set vdom "root"
        set ip 172.16.254.1 255.255.255.0
        set allowaccess ping
        set type loopback
        set snmp-index 14
    next
end

3) Create firewall policies from internet links to loopback interface. (vl10 and vl30 are internet links).

config system zone
    edit "Internet_Zone"
        set interface "vl10" "vl30"
        set intrazone allow
    next
end
config firewall policy
    edit 1
        set srcintf "Internet_Zone"
        set dstintf "Loopbk"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "AH" "IKE" "ESP" "PING"
    next
    edit 2
        set srcintf "Loopbk"
        set dstintf "Internet_Zone"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ESP" "AH" "IKE"
    next
end

4) Publish VPN as usual on loopback interface.

config vpn ipsec phase1-interface
    edit "ptp1"
        set interface "Loopbk"
        set nattraversal disable
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 198.36.15.20
        set psksecret ENC 54vEVHxpZHTGNecFPphIdQyxX82+DAJJpvSE2xDa1ggpkprsP5J
+xxIO+5GvzXeWRkfzVqu2m2WJC0W+DiNsbOXPU+BR/BjiVmBw1Fzqy/5pFNKNXYl1H/fuGoZIg10/tSSIq2UUnxPWLfxiJVfFQkgzPwiB3D6MRRxqYhnZVtDzOTZa9TnFjiMrUXOuPVXTq7uq7A==
    next
end
config vpn ipsec phase2-interface
    edit "phase2"
        set phase1name "ptp1"
        set proposal 3des-sha1 aes128-sha1
        set dst-subnet 10.128.0.0 255.128.0.0
        set src-subnet 10.0.0.0 255.128.0.0
    next
end

5) Create usual Firewall policies.

config firewall policy
    edit 3
        set srcintf "ptp1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 4
        set srcintf "dmz"
        set dstintf "ptp1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Related Articles

Technical Tip: FortiGate BGP configuration to announce specific routes and accept only a default rou...