# config vpn ipsec phase1-interfaceFirewall policy.
edit "tunnel netdev"
set type dynamic
set interface "port1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set auto-discovery-receiver enable
set auto-discovery-forwarder enable
set psksecret ENC 0S4yt76mhwUoRqNHybMB129Cur3TcH4XGXZfgXUW9WGkRkZoChYn+rToYo+4saEFRBpbn9YjpqFq2ngL4HvdcPUma8S+n/Fv47clMcWdhPDQjd2R5uP5nuyyA8bQd9XxMa4/HjaRQvDMlVm+04qVnyX056QZ/hR4rC2tmnkcx+Pe5iWDFQUc1J5HWQrdrAK9NR6i/g==
set dpd-retryinterval 60
next
end
# config vpn ipsec phase2-interface
edit "tunnel netdev"
set phase1name "tunnel netdev"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
# config system interface
edit "tunnel netdev"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping https http
set type tunnel
set remote-ip 1.1.2.1 255.255.255.0
set snmp-index 12
set interface "port1"
Next
End
# config firewall policyOSPF configuration on FortiGate dial-up server.
edit 2
set name "firewall 2"
set uuid adb63976-e916-51ea-0712-bf025b038caa
set srcintf "port2"
set dstintf "tunnel netdev"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments " (Copy of firewall1)"
next
edit 1
set name "firewall1"
set uuid a875bb08-e916-51ea-7641-255f83075c3d
set srcintf "tunnel netdev"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config router ospfFortiGate dial-up client-1.
set router-id 1.1.1.1
# config area
edit 0.0.0.0
next
end
# config ospf-interface
edit "tunnel1"
set interface "tunnel netdev"
set network-type point-to-point
next
end
# config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 1.1.2.1 255.255.255.255
next
edit 3
set prefix 30.30.30.0 255.255.255.0
next
edit 4
set prefix 1.1.2.2 255.255.255.255
next
end
# config redistribute "connected"
end
# config redistribute "static"
end
# config redistribute "rip"
end
# config redistribute "bgp"
end
# config redistribute "isis"
end
end
# config vpn ipsec phase1-interfaceFirewall policy.
edit "tunnel netdev"
set interface "port1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set auto-discovery-sender enable
set auto-discovery-receiver enable
set auto-discovery-forwarder enable
set remote-gw 192.168.175.156
set psksecret ENC aSZ+/ERBdQ6urLam6kH69xnKjPufcaP/f7c0Hcrdx2kb9j02Ox6gftQsHirvsN0OnQsw+rl1aR/zxriPCjH315zgW4JPJSR4RjMTrMeIIOlyYZBUHpXjuJF8wdov+9iY5FbWfubwsPB8DpOF3kKYOkKXJRelCICfKXNaQjoclYk9HMCNlglFlYO9KtgANqwdvpyvVQ==
next
end
# config vpn ipsec phase2-interface
edit "tunnel netdev"
set phase1name "tunnel netdev"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
# config system interface
edit "tunnel netdev"
set vdom "root"
set ip 1.1.2.1 255.255.255.255
set allowaccess ping https ssh http
set type tunnel
set remote-ip 1.1.1.1 255.255.255.255
set snmp-index 12
set interface "port1"
next
end
# config firewall policyOSPF configuration on FortiGate dial-up client-1.
edit 1
set name "firewall1"
set uuid c65e873a-e916-51ea-8779-74634acc8726
set srcintf "port2"
set dstintf "tunnel netdev"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "firewall 2"
set uuid d49ab134-e916-51ea-73a0-6c544c6a7779
set srcintf "tunnel netdev"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config router ospfFortiGate dial-up client–2.
set router-id 1.1.2.1
config area
edit 0.0.0.0
next
end
# config ospf-interface
edit "tunnel1"
set interface "tunnel netdev"
set network-type point-to-point
next
end
# config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 1.1.2.1 255.255.255.255
next
edit 3
set prefix 40.40.40.0 255.255.255.0
next
end
# config redistribute "connected"
end
# config redistribute "static"
end
# config redistribute "rip"
end
# config redistribute "bgp"
end
# config redistribute "isis"
end
end
# config vpn ipsec phase1-interfaceFirewall policy.
edit "tunnel netdev"
set interface "port1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set auto-discovery-sender enable
set auto-discovery-receiver enable
set auto-discovery-forwarder enable
set remote-gw 192.168.175.156
set psksecret ENC Wkb5Fvzp301Wr4ZUrR/V5QkeX/IGoEDBqbiQFPtxZgJ/qecI3PfCRXeUlaj1CREZIbBMqhyA9AKZN7o/peNpp+JdJ+7siUiJ/2kjZyarhlSjl+YSAhNoDV4LeRzfa6gfr20uMNr4MDWRQxjAbfE0M0WJZc0/w4/b70uiCDzEskl7amf6vVSLDhNLkoAzdg4gDt8tUg==
next
end
# config vpn ipsec phase2-interface
edit "tunnel netdev"
set phase1name "tunnel netdev"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
# config system interface
edit "tunnel netdev"
set vdom "root"
set ip 1.1.2.2 255.255.255.255
set allowaccess ping https ssh http
set type tunnel
set remote-ip 1.1.1.1 255.255.255.255
set snmp-index 12
set interface "port1"
next
end
# config firewall policyOSPF configuration on FortiGate dial-up client-2.
edit 1
set name "firewall 1"
set uuid b7e234ec-e919-51ea-189d-109576fc3610
set srcintf "port1"
set dstintf "tunnel netdev"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "firewall 2"
set uuid c579f360-e919-51ea-3a1c-7e93acd5c09e
set srcintf "tunnel netdev"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
# config router ospfTroubleshooting.
set router-id 1.1.2.2
# config area
edit 0.0.0.0
next
end
# config ospf-interface
edit "tunnel1"
set interface "tunnel netdev"
set network-type point-to-point
next
end
# config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 1.1.2.2 255.255.255.255
next
edit 3
set prefix 1.1.2.1 255.255.255.255
next
edit 4
set prefix 50.50.50.0 255.255.255.0
next
end
# config redistribute "connected"
end
# config redistribute "static"
end
# config redistribute "rip"
end
# config redistribute "bgp"
end
# config redistribute "isis"
end
end
DIALUP_SERVER # get router info ospf statOther command that you can use to troubleshoot OSPF is the ff:
Routing Process "ospf 0" with ID 1.1.1.1
Process is not up
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 1
Number of LSA received 23
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 4(4)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:10:26.870 ago
SPF algorithm executed 6 times
Number of LSA 3. Checksum 0x01cbd0
DIALUP_SERVER # get router info ospf neig
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.2.1 1 Full/ - 00:00:30 1.1.2.1 tunnel netdev_0
1.1.2.2 1 Full/ - 00:00:32 1.1.2.2 tunnel netdev_1
DIALUP_SERVER # get router info routing-table ospf
Routing table for VRF=0
O 1.1.1.0/24 [110/100] via tunnel netdev, 04:29:40
O 40.40.40.0/24 [110/101] via 1.1.2.1, tunnel netdev_0, 00:12:29
O 50.50.50.0/24 [110/101] via 1.1.2.2, tunnel netdev_1, 04:29:00
DIALUP_SERVER # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.175.2, port1
O 1.1.1.0/24 [110/100] via tunnel netdev, 00:02:28
C 1.1.1.1/32 is directly connected, tunnel netdev
is directly connected, tunnel netdev_0
is directly connected, tunnel netdev_1
C 1.1.2.0/24 is directly connected, tunnel netdev
C 1.1.2.1/32 is directly connected, tunnel netdev_0
C 1.1.2.2/32 is directly connected, tunnel netdev_1
C 30.30.30.0/24 is directly connected, port2
O 40.40.40.0/24 [110/101] via 1.1.2.1, tunnel netdev_0, 00:02:03
O 50.50.50.0/24 [110/101] via 1.1.2.2, tunnel netdev_1, 00:02:03
C 192.168.175.0/24 is directly connected, port1
# diag ip router ospf all enableTo stop that ospf debugging.
# diag ip router ospf level info
# diag debug enable
# diag debug disableTo clear OSPF process.
# diag ip router ospf all disable
# diag ip router ospf level none
# execute router clear ospf process
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.