DescriptionThis article provides an example of how to setup redundant point-to-point IPSec VPN using multi-home BGP links.
ScopeApplies to all FortiOS versions. Publish an IPSec VPN in a multi-homed BGP
Solution1) Configure multi-homed BGP.
2) Create loopback interface with network address of the own segment.
3) Create firewall policies from internet links to loopback interface.
4) Publish VPN as usual on loopback interface.
Example:
- Public IP segment is: 172.16.254.0/24
- Local networks are 10.0.0.0/8
- ISP providers are on 192.168.35.0/30 and 192.168.36.0/30
- Local AS is 65300
1) Configure multi-homed BGP.
config router bgp
set as 65300
set ebgp-multipath enable
config neighbor
edit "192.168.35.1"
set remote-as 65301
next
edit "192.168.36.1"
set remote-as 65302
next
end
config network
edit 1
set prefix 172.16.254.0 255.255.255.0
next
end
set router-id 192.168.98.4
end
You can add a route map to block forwarding traffic between internet interfaces (For more information refer to the related KB article 'Technical Note : FortiGate BGP configuration to announce specific routes and accept only a default route (prefix list and route map)')
2) Create loopback interface.
config system interface
edit "Loopbk"
set vdom "root"
set ip 172.16.254.1 255.255.255.0
set allowaccess ping
set type loopback
set snmp-index 14
next
end
3) Create firewall policies from internet links to loopback interface. (vl10 and vl30 are internet links).
config system zone
edit "Internet_Zone"
set interface "vl10" "vl30"
set intrazone allow
next
end
config firewall policy
edit 1
set srcintf "Internet_Zone"
set dstintf "Loopbk"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "AH" "IKE" "ESP" "PING"
next
edit 2
set srcintf "Loopbk"
set dstintf "Internet_Zone"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ESP" "AH" "IKE"
next
end
4) Publish VPN as usual on loopback interface.
config vpn ipsec phase1-interface
edit "ptp1"
set interface "Loopbk"
set nattraversal disable
set proposal 3des-sha1 aes128-sha1
set remote-gw 198.36.15.20
set psksecret ENC 54vEVHxpZHTGNecFPphIdQyxX82+DAJJpvSE2xDa1ggpkprsP5J
+xxIO+5GvzXeWRkfzVqu2m2WJC0W+DiNsbOXPU+BR/BjiVmBw1Fzqy/5pFNKNXYl1H/fuGoZIg10/tSSIq2UUnxPWLfxiJVfFQkgzPwiB3D6MRRxqYhnZVtDzOTZa9TnFjiMrUXOuPVXTq7uq7A==
next
end
config vpn ipsec phase2-interface
edit "phase2"
set phase1name "ptp1"
set proposal 3des-sha1 aes128-sha1
set dst-subnet 10.128.0.0 255.128.0.0
set src-subnet 10.0.0.0 255.128.0.0
next
end
5) Create usual Firewall policies.
config firewall policy
edit 3
set srcintf "ptp1"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set srcintf "dmz"
set dstintf "ptp1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Related Articles
Technical Tip: FortiGate BGP configuration to announce specific routes and accept only a default rou...