Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smayank
Staff
Staff

Created on ‎09-26-2025 05:41 AM Edited on ‎10-06-2025 06:07 AM By Moderator

Article Id 412805

Technical Tip: Setting up BGP using loopback over IPsec (site to site)

Description This article describes the configuration of BGP neighborship using a loopback interface over IPsec (site-to-site).
Scope FortiGate.
Solution

Topology:

 

BGP Top.png

 

Configuration on ISP1:

Loopback interface configuration:

       

config system interface
    edit "BGP-Loopback"
        set vdom "root"
        set ip 172.16.1.1 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 17
        set ip-managed-by-fortiipam disable
    next
end

 

VPN configuration:

Phase 1 configuration:

config vpn ipsec phase1-interface
    edit "IPSEC"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set exchange-interface-ip enable
        set exchange-ip-addr4 172.16.1.1
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384         chacha20poly1305-prfsha256
        set dhgrp 20 21
        set transport udp
        set remote-gw 10.109.19.199
    next
end

 

Phase 2 configuration:

config vpn ipsec phase2-interface
    edit "IPSEC"
        set phase1name "IPSEC"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm         chacha20poly1305
        set dhgrp 20 21
        set comments "VPN: IPSEC <----- Created by VPN wizard.
        set src-addr-type name
        set dst-addr-type name
        set src-name "IPSEC_local"
        set dst-name "IPSEC_remote"
    next
        edit "BGP"
            set phase1name "IPSEC"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 20 21
            set src-subnet 172.16.1.1 255.255.255.255
            set dst-subnet 172.16.1.2 255.255.255.255
        next
end

In this example, two Phase-2 configurations are present: one labeled 'IPSEC' for handling interesting traffic, and another labeled 'BGP' for exchanging BGP-related traffic. It is also possible to configure a single Phase-2 parameter by setting both the source and destination subnets to '0.0.0.0', which allows all traffic to pass through.

 

BGP configuration:

 

config router bgp
    set as 100
        config neighbor
            edit "172.16.1.2"
                set capability-graceful-restart enable
                set remote-as 200
                set update-source "BGP-Loopback"
            next
        end

 

Policy configuration: 

 

The policy must be configured to allow BGP traffic from the IPsec tunnel to the loopback interface on both the FortiGate's.

 

config firewall policy

    edit 0

        set name "Loopback"

        set srcintf "IPSEC"

        set dstintf "BGP-Loopback"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "BGP"

    next

end

 

Configuration on ISP-2:

 

Loopback configuration:

 

config system interface
    edit "BGP-Loopback"
        set vdom "root"
        set ip 172.16.1.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
    next
end

 

VPN Configuration:

Phase 1 configuration:

 

config vpn ipsec phase1-interface
    edit "IPSEC"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set exchange-interface-ip enable
        set exchange-ip-addr4 172.16.1.2
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384         chacha20poly1305-prfsha256
        set dhgrp 20 21
        set transport udp
        set remote-gw 10.109.19.195
    Next
end

 

Phase 2 configuration :

config vpn ipsec phase2-interface
    edit "IPSEC"
        set phase1name "IPSEC"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm         chacha20poly1305
        set dhgrp 20 21
        set comments "VPN: IPSEC -- Created by VPN wizard"
        set src-addr-type name
        set dst-addr-type name
        set src-name "IPSEC_local"
        set dst-name "IPSEC_remote"
    next
        edit "BGP"
            set phase1name "IPSEC"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 20 21
            set src-subnet 172.16.1.2 255.255.255.255
            set dst-subnet 172.16.1.1 255.255.255.255
        next
end

 

BGP configuration:

 

config router bgp
    set as 200
        config neighbor
            edit "172.16.1.1"
                set capability-graceful-restart enable
                set remote-as 100
                set update-source "BGP-Loopback"
            next
        end

 

For one FortiGate to know its IPsec neighbor peer, the IP 'exchange-interface-ip' is used to exchange the overlay interface IP addresses between peers. Note that this feature is Fortinet-specific. Refer to Technical Tip: How to use exchange-interface-IP in IPsec Tunnel.

 

'exchange-ip-addr4' can be used to explicitly announce the IP address willing to be exchanged. It may be any desired IP (usually used on ADVPN with BGP on loopback scenarios). If the option is not available to be used, enable 'exchange-interface-ip' prior.
339
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.