Purpose
This article describes the steps to configure FortiGates in an OSPF scenario providing two redundant IPSec tunnels.
It includes the network diagram, requirements, configuration, and routing tables of all FortiGate units.
Scope
- All FortiGate units.
- FortiGate or VDOMs running in NAT mode.
Diagram
The following network diagram illustrates this example and how to setup OSPF over IPSec.
Expectations, Requirements
Requirements:
- FGT1 will become automatically ASBR as it will advertise its static default route (see marker M1).
- FGT2 will advertise its local LAN as OSPF internal route (see marker M2).
- The primary routes must go via the tunnel over wan1, and routes over the backup tunnel only used when the primary is down (see marker M3).
The use of loopback interfaces into this OSPF scenario is a simple rule that eases the OSPF troubleshooting and administration, where we will set the OSPF router ID identically to the loopback interface.
To control the OSPF routes that are selected in the routing table, the OSPF interface cost will be used (see marker M3 in the configuration).
Configuration
Notes
-
Only the relevant parts of the configuration are given.
- The interface naming can differ from between FortiGate; therefore aliases have been used to conform to the diagram (see marker M4 in the configuration).
- An IPSec virtual interface can stay unnumbered. In this case, as we need to enable OSPF on those interfaces, they have been given an IP address that is used for the OSPF prefix list.
- In those configurations, we had to create an OSPF interface for the IPSec interface to access to additional parameters than the default ones. Here we increased the cost to 200 for the secondary tunnel.
- FGT1
config system interface
edit "internal"
set vdom "root"
set ip 192.168.182.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port1"
set vdom "root"
set ip 10.141.0.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
set alias "wan2" ß M4
next
edit "port8"
set vdom "root"
set ip 10.142.0.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
set alias "local_lan" ß M4
next
edit "lback1"
set vdom "root"
set ip 10.0.0.1 255.255.255.255
set type loopback
next
edit "tunnel_wan1"
set vdom "root"
set ip 10.1.1.1 255.255.255.255
set type tunnel
set remote-ip 10.1.1.2
set interface "internal"
next
edit "tunnel_wan2"
set vdom "root"
set ip 10.1.1.3 255.255.255.255
set type tunnel
set remote-ip 10.1.1.4
set interface "port1"
next
end
config vpn ipsec phase1-interface
edit "tunnel_wan1"
set interface "internal"
set proposal 3des-sha1 aes128-sha1
set remote-gw 192.168.182.152
set psksecret ENC …
next
edit "tunnel_wan2"
set interface "port1"
set proposal 3des-sha1 aes128-sha1
set remote-gw 10.141.0.152
set psksecret ENC …
next
end
config vpn ipsec phase2-interface
edit "tunnel1_wan1"
set phase1name "tunnel_wan1"
set proposal 3des-sha1 aes128-sha1
next
edit "tunnel2_wan2"
set phase1name "tunnel_wan2"
set proposal 3des-sha1 aes128-sha1
next
end
config router static
edit 1
set device "internal"
set gateway 192.168.183.254
next
edit 2
set device "port1"
set distance 20
set gateway 10.141.0.254
next
end
config router ospf
config area
edit 0.0.0.0
next
end
set default-information-originate enable
config network
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.0.0.1 255.255.255.255
next
end
config ospf-interface
edit "tunnel_wan2"
set cost 200 ß M3
set interface "tunnel_wan2"
set network-type point-to-point
next
edit "tunnel_wan1"
set cost 10 ß M3
set interface "tunnel_wan1"
set network-type point-to-point
next
end
config redistribute "connected"
end
config redistribute "static"
set status enable ß M1
end
set router-id 10.0.0.1
end
- FGT2
config system interface
edit "internal"
set vdom "root"
set ip 192.168.182.152 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
set alias "wan1" ß M4
next
edit "port1"
set vdom "root"
set ip 10.141.0.152 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
set alias "wan2" ß M4
next
edit "port8"
set vdom "root"
set ip 10.2.2.1 255.255.255.0
set allowaccess ping
set type physical
set alias "local_lan" ß M4
next
edit "lback2"
set vdom "root"
set ip 10.0.0.2 255.255.255.255
set type loopback
next
edit "tunnel_wan1"
set vdom "root"
set ip 10.1.1.2 255.255.255.255
set type tunnel
set remote-ip 10.1.1.1
set interface "internal"
next
edit "tunnel_wan2"
set vdom "root"
set ip 10.1.1.4 255.255.255.255
set type tunnel
set remote-ip 10.1.1.3
set interface "port1"
next
end
config vpn ipsec phase1-interface
edit "tunnel_wan1"
set interface "internal"
set dpd enable
set nattraversal enable
set proposal 3des-sha1 aes128-sha1
set remote-gw 192.168.182.151
set psksecret ENC …
next
edit "tunnel_wan2"
set interface "port1"
set proposal 3des-sha1 aes128-sha1
set remote-gw 10.141.0.151
set psksecret ENC …
next
end
config vpn ipsec phase2-interface
edit "tunnel1_wan1"
set pfs enable
set phase1name "tunnel_wan1"
set proposal 3des-sha1 aes128-sha1
set replay enable
next
edit "tunnel2_wan2"
set pfs enable
set phase1name "tunnel_wan2"
set proposal 3des-sha1 aes128-sha1
set replay enable
next
end
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.2.2.0 255.255.255.0
next
edit 3
set prefix 10.0.0.2 255.255.255.255
next
end config ospf-interface
edit "tunnel_wan2"
set cost 200 ß M3
set interface "tunnel_wan2"
set network-type point-to-point
next
edit "tunnel_wan1"
set cost 10 ß M3
set interface "tunnel_wan1"
set network-type point-to-point
next
end
set router-id 10.0.0.2
end
Verification
1- OSPF information and routing tables when primary tunnel_wan1 is up.
NOTE: All OSPF routes are seen via tunnel_wan1.
- FGT1
FGT1 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 Full/ - 00:00:39 10.1.1.2 tunnel_wan1
10.0.0.2 1 Full/ - 00:00:34 10.1.1.4 tunnel_wan2
FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.183.254, internal
C 10.0.0.1/32 is directly connected, lback1
O 10.0.0.2/32 [110/110] via 10.1.1.2, tunnel_wan1, 00:06:21
C 10.1.1.1/32 is directly connected, tunnel_wan1
C 10.1.1.2/32 is directly connected, tunnel_wan1
C 10.1.1.3/32 is directly connected, tunnel_wan2
C 10.1.1.4/32 is directly connected, tunnel_wan2
O 10.2.2.0/24 [110/20] via 10.1.1.2, tunnel_wan1, 00:20:10
C 10.141.0.0/23 is directly connected, port1
C 10.142.0.0/23 is directly connected, port8
C 192.168.182.0/23 is directly connected, internal
- FGT2
FGT2 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/ - 00:00:39 10.1.1.1 tunnel_wan1
10.0.0.1 1 Full/ - 00:00:29 10.1.1.3 tunnel_wan2
FGT2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.1.1.1, tunnel_wan1, 00:20:52
O 10.0.0.1/32 [110/110] via 10.1.1.1, tunnel_wan1, 00:07:27
C 10.0.0.2/32 is directly connected, lback2
C 10.1.1.1/32 is directly connected, tunnel_wan1
C 10.1.1.2/32 is directly connected, tunnel_wan1
C 10.1.1.3/32 is directly connected, tunnel_wan2
C 10.1.1.4/32 is directly connected, tunnel_wan2
C 10.2.2.0/24 is directly connected, port8
C 10.141.0.0/23 is directly connected, port1
C 192.168.182.0/23 is directly connected, internal
2 - OSPF information and routing tables when primary tunnel_wan1 is down.
NOTE: All OSPF routes are seen via tunnel_wan2.
- FGT1
FGT1 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 Full/ - 00:00:38 10.1.1.4 tunnel_wan2
FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [20/0] via 10.141.0.254, port1
C 10.0.0.1/32 is directly connected, lback1
O 10.0.0.2/32 [110/300] via 10.1.1.4, tunnel_wan2, 00:01:31
C 10.1.1.3/32 is directly connected, tunnel_wan2
C 10.1.1.4/32 is directly connected, tunnel_wan2
O 10.2.2.0/24 [110/210] via 10.1.1.4, tunnel_wan2, 00:01:31
C 10.141.0.0/23 is directly connected, port1
C 10.142.0.0/23 is directly connected, port8
- FGT2
FGT2 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/ - 00:00:30 10.1.1.3 tunnel_wan2
FGT2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.1.1.3, tunnel_wan2, 00:02:11
O 10.0.0.1/32 [110/300] via 10.1.1.3, tunnel_wan2, 00:02:11
C 10.0.0.2/32 is directly connected, lback2
C 10.1.1.3/32 is directly connected, tunnel_wan2
C 10.1.1.4/32 is directly connected, tunnel_wan2
C 10.2.2.0/24 is directly connected, port8
C 10.141.0.0/23 is directly connected, port1
C 192.168.182.0/23 is directly connected, internal
Troubleshooting
Use the OSPF router command:
get router info ospf <subcommand>
FGT# get router info ospf ?
database show ospf database information
interface show ospf interfaces
route show ospf routing table
neighbor show ospf neighbors
border-routers show ospf border routers
status show ospf status
virtual-links show ospf virtual links
For advanced troubleshooting, use the command :
FGT# diag ip router ospf all enable (or disable to stop the trace)
Related Articles
Technical Note : OSPF configuration guide for ABR and ASBR settings
Technical Note : simple OSPF configuration with 2 FortiGates in the same area
Technical Tip: How to redistribute a default route in OSPF
Technical Note : OSPF route summarization for LSAs Type3 (on ABR) and Type5 (on ASBR)
