FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 197156

Description
This article describes how to configure OSPF over dynamic IPSEC VPN.

The setup includes single spokes with hub location which would be assigning IP addresses to the spokes via dial-up VPN.
A dynamic IPsec tunnel will be established which will allow OSPF through it.



Solution
Hub Configuration.

 

  1. Configure VPN phase-1.

 

 

config vpn ipsec phase1-interface
    edit "dial-up"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal des-md5
        set add-route disable
        set dpd on-idle
        set ipv4-start-ip 10.1.1.4  
        set ipv4-end-ip 10.1.1.255
        set psksecret <secret>
    next
end

 

Note:

  • When configuring the ‘IPv4-start-ip’ and ‘IPv4-end-ip’, assign the IP address that is multiple of /30 subnet.
  • As an example in the above configuration first spoke is assigned subnet 10.1.1.4/30 and second spoke is assigned subnet 10.1.1.8/30.
  • The first usable IP in the subnet is assigned to the spoke and second one hub assigns it to itself.
  • When it is not falling in the range, the FortiGate displays an error message as follow: 'IPv4-start-ip must be be a multiple of a /30 subnet'.

 

 

  1. Config VPN phase-2.

 

 

config vpn ipsec phase2-interface
    edit "dial-up-p2"
        set phase1name "dial-up"
        set proposal 3des-sha1 aes128-sha1
    next
end

 

 

  1. Configuring tunnel interface.

 

 

config system interface
    edit "dial-up"
        set vdom "root"
        set type tunnel
        set snmp-index 8
        set interface "wan1"
    next
end

 

Note: There is no need to assign any IP address on the tunnel interface to make OSPF neighborship work. 

  1. Configuring OSPF.

 

 

config router ospf

    set router-id 2.2.2.2

        config area

            edit 0.0.0.0

        next

    end
    config ospf-interface
        edit "1"
            set interface "dial-up"
            set cost 10
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 10.1.1.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end

    config redistribute "isis"

    end
end

 

  1. Configuring firewall policies.

 

config firewall policy
    edit 2
        set name "12"
        set uuid acb445b4-0d38-51ea-b14f-4aa6f8d95e2f
        set srcintf "dial-up"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
    edit 3
        set name "21"
        set uuid be577278-0d38-51ea-32eb-259a94e511b2
        set srcintf "internal"
        set dstintf "dial-up"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
end

 

Spoke Configuration.

  1. Configure VPN phase-1.

 

config vpn ipsec phase1-interface
    edit "dial-up-client"
        set interface "wan2"
        set ike-version 2
        set peertype any
        set mode-cfg enable
        set proposal des-md5
        set add-route disable
        set remote-gw <IP>
        set psksecret <secret>
    next
end

 

  1. Configure VPN phase-2.

 

config vpn ipsec phase2-interface
    edit "dial-up-client-PHASE2"
        set phase1name "dial-up-client"
        set proposal 3des-sha1 aes128-sha1
        set auto-negotiate enable
    next
end

 

  1. Configuring tunnel interface.

 

config system interface
    edit "dial-up-client"
        set vdom "root"
        set type tunnel
        set snmp-index 7
        set interface "wan2"
    next

 

Note: There is no need to assign any IP address on a tunnel interface to make OSPF neighborship work. 

  1. Configuring OSPF.

 

config router ospf

    set router-id 1.1.1.1
        config area
            edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "1"
            set interface "dial-up-client"
            set cost 10
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
       next
    end
    config network
        edit 1
            set prefix 10.1.1.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end

    config redistribute "isis"

    end
end

 

  1. Configuring firewall policies.

 

config firewall policy
    edit 2
        set name "21"
        set uuid e8837c7c-0d42-51ea-ef68-ee882be1dd18
        set srcintf "internal"
        set dstintf "dial-up-client"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
    edit 3
        set name "12"
        set uuid f35734f4-0d42-51ea-9470-6c0f614f2997
        set srcintf "dial-up-client"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "OSPF"
        set fsso disable
    next
end

 

Troubleshooting:

 

get router info ospf interface

get router info ospf interface
dial-up_0 is up, line protocol is up
Internet Address 10.1.1.6/30, Area 0.0.0.0, MTU 1446     10.1.1.4/30 assigned for First spoke
 10.1.1.6/30 assigned by Hub to itself
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 6075
Hello received 35 sent 35, DD received 5 sent 6
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
Loopback_2 is up, line protocol is up
Internet Address 2.2.2.2/32, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 100
No bandwidth information from kernel
Transmit Delay is 1 sec, State Loopback
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5


Spoke-FGT # get router info ospf interface
dial-up-client is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0.0.0.0, MTU 1446      10.1.1.4/30 assigned for First Spoke
 10.1.1.5/30 assigned by Hub to Spoke
Process ID 0, VRF 0, Router ID 1.1.1.1, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 6022
Hello received 37 sent 39, DD received 6 sent 5
LS-Req received 1 sent 1, LS-Upd received 3 sent 3
LS-Ack received 2 sent 2, Discarded 0
loopback_1 is up, line protocol is up
Internet Address 1.1.1.1/32, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 100
Transmit Delay is 1 sec, State Loopback
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

# get router info ospf interface

Hub-FGT # get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State      Dead Time   Address         Interface
1.1.1.1         1   Full/ -    00:00:34    10.1.1.5     dial-up_0



Spoke-FGT # get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State      Dead Time   Address         Interface
2.2.2.2         1   Full/ -    00:00:41    10.1.1.6     dial-up-client


# get router info routing-table connected


Hub-FGT # get router info routing-table connected
C 10.1.1.4/30 is directly connected, dial-up_0                                                    <----- Dial-up subnet of /30.
C 10.1.1.6/32 is directly connected, dial-up_0                                                    <----- Dial-up local interface.
C 10.1.1.8/30 is directly connected, dial-up_1                                                    <----- Next /30 subnet assigned to second Spoke.
C 10.1.1.10/32 is directly connected, dial-up_1                                                   <----- Dial-up local interface.

 

Related articles: