Description

This article explains how to advertise an SSL VPN subnet on OSPF through an IPSEC tunnel.

Scope

FortiGate.

Solution

The user can configure an SSL VPN in one firewall to advertise the SSL VPN subnet route on another firewall during OSPF routing. Follow the instructions below to do this.

Note: Make sure the router ID used in OSPF configuration is routable from another end firewall or router.

1) Add the SSL VPN subnet into the network under an OSPF which advertises its own network.

In the GUI:

In the CLI:

# config router ospf

config network

        edit 1

            set prefix 10.212.134.0 255.255.255.0

end

2) Add a static route for the SSL VPN subnet in the same firewall where the SSL VPN is configured:

In the GUI:

In CLI:

# config router static

edit 1

           set dst 10.212.134.0 255.255.255.0

    set device "ssl.root"

next

end

3) To control the static routes that need to be redistributed to the OSPF, create a prefix list and a route map in the CLI:

# config router prefix-list

    edit "SSLVPN_PREFIX_LIST"

        config rule

            edit 1

                set prefix 10.212.134.0 255.255.255.0

end

# config router route-map

edit "OSPF_Route_Map"

config rule

edit 1

set match-ip-address "SSLVPN_PREFIX_LIST"

next

end

4) Enable Static under Redistribute in the OSPF settings. This is done because the OSPF is not running over the SSL-VPN.

In the GUI:

In the CLI:

# config router ospf

config redistribute static

set status enable

set routemap "OSPF_Route_Map"

end