Technical Tip : How to allow the EIGRP neighbourship to form when FortiGate is kept as a intermediatory devices running on Virtual Wire Pair between 2 EIGRP neighbours

Virtual Wire Pair: 

The Virtual Wire Pair allows to configure 2 interfaces with no IP address configuration in them. 

All the traffic received by one interface in the pair can only be forwarded out to the other interface which is controlled by the firewall policy. 

The CLI configuration for the Virtual Wire Pair config is as below : 

erbium-kvm140 (test) # show
config system virtual-wire-pair
    edit "test"
        set member "port5" "port6"
    next
end

EIGRP uses the Multicast IP address 224.0.0.10 to send the hello packets which establishes the neighbourship. 

The Multicast traffic has to be allowed on the Virtual Wire Pair interfaces for a successful neighbourship.

The CLI configuration for the Multicast policy is as below : 

erbium-kvm140 (1) # show
config firewall multicast-policy
    edit 1
       set uuid eef91ae0-7da8-51ef-9e19-2014ca4da883
       set name "Test"
       set logtraffic enable
       set srcintf "port5"
       set dstintf "port6"
       set srcaddr "all"
       set dstaddr "EIGRP"
   next
end

Once the Multicast policy is configured the EIGP packets can traverse via the configured interfaces:

diagnose sniffer packet port5 "proto 88" 4 0

interfaces=[port5]
filters=[proto 88]
pcap_lookupnet: port5: no IPv4 address assigned
15.417898 port5 -- 192.168.102.253 -> 192.168.102.254: ip-proto-88 20
15.864769 port5 -- 192.168.101.253 -> 224.0.0.10: ip-proto-88 40
18.047781 port5 -- 192.168.102.254 -> 224.0.0.10: ip-proto-88 58
18.085863 port5 -- 192.168.102.253 -> 224.0.0.10: ip-proto-88 50
18.433612 port5 -- 192.168.102.253 -> 192.168.102.254: ip-proto-88 20
19.573145 port5 -- 192.168.101.254 -> 224.0.0.10: ip-proto-88 46