Description
This article describes how to establish multiple OSPF neighbor on single IPsec dial-up tunnel(net-device disable).
The setup includes single hub with several spokes location which would be using static IP addresses on their respective tunnel interfaces.
When upgrading from a FortiOS version which does not have 'net-device' setting, 'set net-device enable' is added to all dialup phase1.
This is done to retain the former dialup behavior of creating a dynamic interface for each dialer.
However, for stability reasons, it is strongly recommended to switch to using the new dialup behavior with 'set net-device disable'.
Solution
Settings.
Hub | Spoke 1 | Spoke 2 |
Port2(WAN): 172.19.19.1/24 |
Port2(WAN): 172.19.19.2/24 |
Port2(WAN): 172.19.19.3/24 |
Port3(LAN): 10.40.40.1/24 |
Port3(LAN): 10.41.41.1/24 |
Port3(LAN): 10.42.42.1/24 |
HQ(Tunnel):172.30.65.1/32 |
BR-1(Tunnel):172.30.65.2/32 |
BR-1(Tunnel):172.30.65.3/32 |
Hub Configuration.
Hub – IPSec VPN configuration:
# config vpn ipsec phase1-interface
edit "HQ"
set type dynamic
set interface "port2"
set mode aggressive
set peertype any
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set tunnel-search nexthop
set psksecret ENC cV4mkWIvFFBKsmO6dt4WGZu6gykqo19Q9pcrox0S3qv79M9h19hMStFKYP94cjV/QUmUEU2oNhxc5wnp0rhZNvjYNWBskF2L8naw0/a9Z747gvsiPYndgYZ
cMA8D2i+3FQbnFjgsrutKg1bBfUpHPa996AvVqDTn1BCCMD+J9N3ceNwEGLPGizELlvUYpJva+owZxw==
set dpd-retryinterval 60
next
end
# config vpn ipsec phase2-interface
edit "HQ"
set phase1name "HQ"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set keepalive enable
set src-addr-type name
set dst-addr-type name
set src-name "all"
set dst-name "all"
next
end
# config system interface
edit "HQ"
set vdom "root"
set ip 172.30.65.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.30.65.254 255.255.255.0
set interface "port2" next
end
Hub – Firewall Policy configuration:
# config firewall policy
edit 0
set name "VPN_To_LAN"
set srcintf "HQ"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set name "LAN_To_VPN"
set srcintf "port3"
set dstintf "HQ"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL" next
end
Hub – OSPF configruation:
# config router ospf
set router-id 172.30.65.1
config area
edit 0.0.0.0 next
end
# config ospf-interface
edit "HQ"
set interface "HQ"
set mtu-ignore enable
set network-type point-to-multipoint
next
end
# config network
edit 0
set prefix 172.30.65.0 255.255.255.0 next
edit 0
set prefix 10.40.40.0 255.255.255.0 next end
end
Spoke Configuration.
Spoke – IPSec VPN configuration:
# config vpn ipsec phase1-interface
edit "BR-1"
set interface "port2"
set mode aggressive
set peertype any
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.19.19.1
set psksecret ENC ePO47+mKAtKZSljiMs/2GTRCIc6GSa5xXjworVcP9oAKVVEJWLyjEBmN5p+oDM+SiJYePQ7OmC1yI+qSPJeV8u579aOjzTrYOLhX3wbgE58eqpEaKbWtCl0
j036KncqxIXJracMDw+ZrhPQkQwA/kDkVFqqGAnpwEEOOPy4NGhftAg5OpxodBbEDFy20YrIjztd06Q== next
end
# config vpn ipsec phase2-interface
edit "BR-1"
set phase1name "BR-1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set auto-negotiate enable
next
end
# config system interface
edit "BR-1"
set vdom "root"
set ip 172.30.65.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.30.65.1 255.255.255.0
set interface "port2"
next
end
Spoke – Firewall Policy configuration:
# config firewall policy
edit 0
set name "VPN_To_LAN"
set srcintf "BR-1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set name "LAN_To_VPN"
set srcintf "port3"
set dstintf "BR-1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Spoke– OSPF configruation:
# config router ospf
set router-id 172.30.65.2
config area
edit 0.0.0.0 next
end
# config ospf-interface
edit "BR-1"
set interface "BR-1"
set mtu-ignore enable
set network-type point-to-point next
end
# config network
edit 1
set prefix 172.30.65.0 255.255.255.0 next
edit 2
set prefix 10.41.41.0 255.255.255.0 next
end
end
Results.
HUB:
Note.
Setting 'tunnel-search nexthop' on the Dial-up VPN configuration is necessary when using a dynamic routing with net-device disable to avoid issues.
Results when 'tunnel-search nexthop' is not implemented:
Related Articles.
Technical Tip: 'set net-device' new route-based IPsec logic
Technical Tip: Setting up 2 OSPF neighbors on Single dial-up IPsec tunnel
Technical Tip: Dynamic dial-up VPN with OSPF
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.