| Description |
This article describes how to configure OSPF over a dial-up IPsec VPN tunnel |
| Scope | FortiGate |
| Solution |
The setup in this example consists of a hub and spoke topology. The spoke (FortiGate 60F) connects to the hub (FortiGate 100F) via a dial-up VPN. Over the tunnel, there is OSPF running. On each device, there is a loopback interface configured and it is advertised via OSPF, on the spoke 172.16.60.1/32 and on the hub 172.16.100.1/32 
For OSPF, IP addresses need to be configured on the tunnel interface. There are two ways to deal with IP addressing on the dynamic interface:
This example will rely on the first method. For the second, the following KB can be used: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dynamic-dial-up-VPN-with-OSPF/ta-p/197156
Hub configuration:
IPsec configuration
# config vpn ipsec phase1-interface # edit "TO_60F" # set type dynamic # set interface "lan" # set peertype any # set net-device disable # set exchange-interface-ip enable # set proposal aes256-sha256 # set add-route disable # set psksecret <secret> # next # end
# config vpn ipsec phase2-interface # edit "TO_60F" # set phase1name "TO_60F" # set proposal aes256-sha256 # set src-subnet 0.0.0.0 0.0.0.0 # set dst-subnet 0.0.0.0 0.0.0.0 # next # end
Tunnel interface configuration
# config system interface # edit "TO_60F" # set vdom "root" # set ip 192.168.100.1 255.255.255.255 # set type tunnel # set remote-ip 192.168.255.254 255.255.255.0 # set snmp-index 14 # set interface "lan" # next # end
OSPF configuration
# config router ospf # set router-id 192.168.100.1 # config area # edit 0.0.0.0 # next # end # config ospf-interface # edit "TO_SPOKE" # set interface "TO_60F" # next # end # config network # edit 1 # set prefix 172.16.100.0 255.255.255.0 ßLocal advertised prefix # next # edit 2 # set prefix 192.168.100.0 255.255.255.0 ßVPN overlay # next
Spoke configuration IPsec configuration:
# config vpn ipsec phase1-interface # edit "TO_100E" # set interface "internal" # set exchange-interface-ip enable # set proposal aes256-sha256 # set remote-gw 10.152.1.56 # set psksecret <secret> # next # end
Tunnel interface configuration
# config vpn ipsec phase2-interface # edit "TO_100E" # set phase1name "TO_100E" # set proposal aes256-sha256 # set src-subnet 0.0.0.0 0.0.0.0 # set dst-subnet 0.0.0.0 0.0.0.0 # next # end
# config system interface # edit "TO_100E" # set vdom "root" # set ip 192.168.100.2 255.255.255.255 # set type tunnel # set remote-ip 192.168.100.1 255.255.255.0 # set snmp-index 18 # set interface "internal" # next # end
OSPF configuration
# config router ospf # set router-id 172.16.60.1 # config area # edit 0.0.0.0 # next # end # config ospf-interface # edit "TO_HUB" # set interface "TO_100E" # set mtu-ignore enable # set network-type point-to-point # next # end # config network # edit 1 # set prefix 172.16.60.1 255.255.255.255 # next # edit 2 # set prefix 192.168.100.0 255.255.255.0 # next
Verification:
Spoke
FortiGate-60F # get router info ospf neighbor OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 192.168.100.1 1 Full/ - 00:00:32 192.168.100.1 TO_100E(tun-id:10.152.1.56)
FortiGate-60F # get router info ospf interface LOOPBACK is up, line protocol is up Internet Address 172.16.60.1/32, Area 0.0.0.0, MTU 1500 Process ID 0, VRF 0, Router ID 172.16.60.1, Network Type LOOPBACK, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Loopback Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 TO_100E is up, line protocol is up Internet Address 192.168.100.2/32, Area 0.0.0.0, MTU 1420 Process ID 0, VRF 0, Router ID 172.16.60.1, Network Type POINTOPOINT, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Point-To-Point Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Crypt Sequence Number is 164564 Hello received 69605 sent 70225, DD received 22 sent 22 LS-Req received 5 sent 5, LS-Upd received 401 sent 401 LS-Ack received 396 sent 396, Discarded 0
FortiGate-60F # get router info routing-table details 172.16.100.1
Routing table for VRF=0 Routing entry for 172.16.100.1/32 Known via "ospf", distance 110, metric 200, best Last update 01w0d21h ago * 10.152.1.56, via TO_100E
Hub
FG101F-7 # get router info ospf interface LOOPBACK is up, line protocol is up Internet Address 172.16.100.1/32, Area 0.0.0.0, MTU 1500 Process ID 0, VRF 0, Router ID 192.168.100.1, Network Type LOOPBACK, Cost: 100 No bandwidth information from kernel Transmit Delay is 1 sec, State Loopback Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 TO_60F is up, line protocol is up Internet Address 192.168.100.1/24, Area 0.0.0.0, MTU 1422 Process ID 0, VRF 0, Router ID 192.168.100.1, Network Type POINTOPOINT, Cost:100 No bandwidth information from kernel Transmit Delay is 1 sec, State Point-To-Point Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Neighbor Count is 1, Adjacent neighbor count is 1 Crypt Sequence Number is 172648 Hello received 68411 sent 68416, DD received 13 sent 15 LS-Req received 3 sent 3, LS-Upd received 389 sent 389 LS-Ack received 386 sent 386, Discarded 0
G101F-7 # diagnose vpn ike gateway list
vd: root/0 name: TO_60F_0 version: 1 interface: lan 40 addr: 10.152.1.56:4500 -> 10.152.1.57:64916 virtual-interface-addr: 192.168.100.1 -> 192.168.100.2
FG101F-7 # get router info routing-table details 172.16.60.1 <– Loopback interface IP advertised by the spoke
Routing table for VRF=0 Routing entry for 172.16.60.1/32 Known via "ospf", distance 110, metric 200, best Last update 01w0d21h ago * 192.168.100.2, via TO_60F |
