FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff
Article Id 239418

Description

This article explains how to advertise an SSL VPN subnet on OSPF through an IPSEC tunnel.

Scope

FortiGate.

Solution

The user can configure an SSL VPN in one firewall to advertise the SSL VPN subnet route on another firewall during OSPF routing. Follow the instructions below to do this.

 

Note: Make sure the router ID used in OSPF configuration is routable from another end firewall or router.

 

1) Add the SSL VPN subnet into the network under an OSPF which advertises its own network.

 

In the GUI:

 

pmeet_0-1670865151122.png

 

In the CLI:

 

# config router ospf

config network

        edit 1

            set prefix 10.212.134.0 255.255.255.0

end

 

2) Add a static route for the SSL VPN subnet in the same firewall where the SSL VPN is configured:

 

In the GUI:

 

pmeet_1-1670865151125.png

 

In CLI:

 

# config router static

edit 1

           set dst 10.212.134.0 255.255.255.0

    set device "ssl.root"

next

end

 

3) To control the static routes that need to be redistributed to the OSPF, create a prefix list and a route map in the CLI:

 

# config router prefix-list

    edit "SSLVPN_PREFIX_LIST"

        config rule

            edit 1

                set prefix 10.212.134.0 255.255.255.0

end

 

# config router route-map

edit "OSPF_Route_Map"

config rule

edit 1

set match-ip-address "SSLVPN_PREFIX_LIST"

next

end

 

4) Enable Static under Redistribute in the OSPF settings. This is done because the OSPF is not running over the SSL-VPN.

 

In the GUI:

 

pmeet_2-1670865151128.png

 

In the CLI:

 

# config router ospf

config redistribute static

set status enable

set routemap "OSPF_Route_Map"

end

 

Contributors