Created on 01-31-2022 03:56 AM Edited on 01-31-2022 04:29 AM By Anonymous
Description |
This article describes how to configure OSPF over a dial-up IPsec VPN tunnel |
Scope | FortiGate |
Solution |
The setup in this example consists of a hub and spoke topology. The spoke (FortiGate 60F) connects to the hub (FortiGate 100F) via a dial-up VPN. Over the tunnel, there is OSPF running. On each device, there is a loopback interface configured and it is advertised via OSPF, on the spoke 172.16.60.1/32 and on the hub 172.16.100.1/32 For OSPF, IP addresses need to be configured on the tunnel interface. There are two ways to deal with IP addressing on the dynamic interface:
This example will rely on the first method. For the second, the following KB can be used: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-dial-up-VPN-with-OSPF/ta-p/197156
Hub configuration:
IPsec configuration
# config vpn ipsec phase1-interface # edit "TO_60F" # set type dynamic # set interface "lan" # set peertype any # set net-device disable # set exchange-interface-ip enable # set proposal aes256-sha256 # set add-route disable # set psksecret <secret> # next # end
# config vpn ipsec phase2-interface # edit "TO_60F" # set phase1name "TO_60F" # set proposal aes256-sha256 # set src-subnet 0.0.0.0 0.0.0.0 # set dst-subnet 0.0.0.0 0.0.0.0 # next # end
Tunnel interface configuration
# config system interface # edit "TO_60F" # set vdom "root" # set ip 192.168.100.1 255.255.255.255 # set type tunnel # set remote-ip 192.168.255.254 255.255.255.0 # set snmp-index 14 # set interface "lan" # next # end
OSPF configuration
# config router ospf # set router-id 192.168.100.1 # config area # edit 0.0.0.0 # next # end # config ospf-interface # edit "TO_SPOKE" # set interface "TO_60F" # next # end # config network # edit 1 # set prefix 172.16.100.0 255.255.255.0 ßLocal advertised prefix # next # edit 2 # set prefix 192.168.100.0 255.255.255.0 ßVPN overlay # next
Spoke configuration IPsec configuration:
# config vpn ipsec phase1-interface # edit "TO_100E" # set interface "internal" # set exchange-interface-ip enable # set proposal aes256-sha256 # set remote-gw 10.152.1.56 # set psksecret <secret> # next # end
Tunnel interface configuration
# config vpn ipsec phase2-interface # edit "TO_100E" # set phase1name "TO_100E" # set proposal aes256-sha256 # set src-subnet 0.0.0.0 0.0.0.0 # set dst-subnet 0.0.0.0 0.0.0.0 # next # end
# config system interface # edit "TO_100E" # set vdom "root" # set ip 192.168.100.2 255.255.255.255 # set type tunnel # set remote-ip 192.168.100.1 255.255.255.0 # set snmp-index 18 # set interface "internal" # next # end
OSPF configuration
# config router ospf # set router-id 172.16.60.1 # config area # edit 0.0.0.0 # next # end # config ospf-interface # edit "TO_HUB" # set interface "TO_100E" # set mtu-ignore enable # set network-type point-to-point # next # end # config network # edit 1 # set prefix 172.16.60.1 255.255.255.255 # next # edit 2 # set prefix 192.168.100.0 255.255.255.0 # next
Verification:
Spoke
FortiGate-60F # get router info ospf neighbor OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 192.168.100.1 1 Full/ - 00:00:32 192.168.100.1 TO_100E(tun-id:10.152.1.56)
FortiGate-60F # get router info ospf interface LOOPBACK is up, line protocol is up Internet Address 172.16.60.1/32, Area 0.0.0.0, MTU 1500 Process ID 0, VRF 0, Router ID 172.16.60.1, Network Type LOOPBACK, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Loopback Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 TO_100E is up, line protocol is up Internet Address 192.168.100.2/32, Area 0.0.0.0, MTU 1420 Process ID 0, VRF 0, Router ID 172.16.60.1, Network Type POINTOPOINT, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Point-To-Point Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Crypt Sequence Number is 164564 Hello received 69605 sent 70225, DD received 22 sent 22 LS-Req received 5 sent 5, LS-Upd received 401 sent 401 LS-Ack received 396 sent 396, Discarded 0
FortiGate-60F # get router info routing-table details 172.16.100.1
Routing table for VRF=0 Routing entry for 172.16.100.1/32 Known via "ospf", distance 110, metric 200, best Last update 01w0d21h ago * 10.152.1.56, via TO_100E
Hub
FG101F-7 # get router info ospf interface LOOPBACK is up, line protocol is up Internet Address 172.16.100.1/32, Area 0.0.0.0, MTU 1500 Process ID 0, VRF 0, Router ID 192.168.100.1, Network Type LOOPBACK, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Loopback Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 TO_60F is up, line protocol is up Internet Address 192.168.100.1/24, Area 0.0.0.0, MTU 1422 Process ID 0, VRF 0, Router ID 192.168.100.1, Network Type POINTOPOINT, Cost:100 No bandwidth information from kernel Transmit Delay is 1 sec, State Point-To-Point Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Neighbor Count is 1, Adjacent neighbor count is 1 Crypt Sequence Number is 172648 Hello received 68411 sent 68416, DD received 13 sent 15 LS-Req received 3 sent 3, LS-Upd received 389 sent 389 LS-Ack received 386 sent 386, Discarded 0
G101F-7 # diagnose vpn ike gateway list
vd: root/0 name: TO_60F_0 version: 1 interface: lan 40 addr: 10.152.1.56:4500 -> 10.152.1.57:64916 virtual-interface-addr: 192.168.100.1 -> 192.168.100.2
FG101F-7 # get router info routing-table details 172.16.60.1 <– Loopback interface IP advertised by the spoke
Routing table for VRF=0 Routing entry for 172.16.60.1/32 Known via "ospf", distance 110, metric 200, best Last update 01w0d21h ago * 192.168.100.2, via TO_60F |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.