Description
This article describes an example of how to setup redundant point-to-point IPSec VPN using multi-home BGP links.
Scope
Applies to all FortiOS versions. Publish an IPsec VPN in a multi-homed BGP
Solution
- Configure multi-homed BGP.
- Create a loopback interface with the network address of the segment.
- Create firewall policies from internet links to the loopback interface.
- Publish the VPN as usual on the loopback interface.
Example:
- The public IP segment is 172.16.254.0/24.
- The local networks are 10.0.0.0/8.
- ISP providers are on 192.168.35.0/30 and 192.168.36.0/30.
- The local AS is 65300.
Configure multi-homed BGP.
config router bgp
set as 65300
set router-id 192.168.98.4
set ebgp-multipath enable
config neighbor
edit "192.168.35.1"
set remote-as 65301
next
edit "192.168.36.1"
set remote-as 65302
next
end
config network
edit 1
set prefix 172.16.254.0 255.255.255.0
next
end
end
config system interface
edit "Loopbk"
set vdom "root"
set ip 172.16.254.1 255.255.255.0
set allowaccess ping
set type loopback
set snmp-index 14
next
end
Create firewall policies from internet links to the loopback interface (vl10 and vl30 are internet links).
config system zone
edit "Internet_Zone"
set interface "vl10" "vl30"
set intrazone allow
next
end
config firewall policy
edit 1
set srcintf "Internet_Zone"
set dstintf "Loopbk"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "AH" "IKE" "ESP" "PING"
next
edit 2
set srcintf "Loopbk"
set dstintf "Internet_Zone"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ESP" "AH" "IKE"
next
end
Publish the VPN as usual on the loopback interface.
config vpn ipsec phase1-interface
edit "ptp1"
set interface "Loopbk"
set nattraversal disable
set proposal 3des-sha1 aes128-sha1
set remote-gw 198.36.15.20
set psksecret ENC 54vEVHxpZHTGNecFPphIdQyxX82+DAJJpvSE2xDa1ggpkprsP5J
+xxIO+5GvzXeWRkfzVqu2m2WJC0W+DiNsbOXPU+BR/BjiVmBw1Fzqy/5pFNKNXYl1H/fuGoZIg10/tSSIq2UUnxPWLfxiJVfFQkgzPwiB3D6MRRxqYhnZVtDzOTZa9TnFjiMrUXOuPVXTq7uq7A==
next
end
config vpn ipsec phase2-interface
edit "phase2"
set phase1name "ptp1"
set proposal 3des-sha1 aes128-sha1
set dst-subnet 10.128.0.0 255.128.0.0
set src-subnet 10.0.0.0 255.128.0.0
next
end
Create usual Firewall policies.
config firewall policy
edit 3
set srcintf "ptp1"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set srcintf "dmz"
set dstintf "ptp1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Note:
For FortiGates with NP6 or NP6lite, when IPsec VPN is configured with the source interface as a Loopback interface, this may lead to performance issues as the loopback interface does not support hardware acceleration.
For devices with NP7, running on FortiOS 7.0.6 and 7.2.1 and above, hardware acceleration is supported on Loopback interfaces.
Refer to Technical Tip: Information about IPsec on loopback interface and hardware acceleration.
Related article:
Technical Tip: FortiGate BGP configuration to announce specific routes and accept only a default rou...
