Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chambersb7
New Contributor

Redistribute Interface IP in OSPF

So here's my conundrum. I have 3 sites all with a private fiber connection to our network provider's datacenter, where they carved off a VDOM just for us to use. We run OSPF on a vlan between the 4 sites (network provider datacenter and 3 locations). I had a failover event this weekend where the circuit failed at the main site and it started running through the secondary site.

 

Everything was fine except for the traffic to the firewall itself, which means nobody was able to auth to the SSL VPN at the main site because the core switch at our main site saw the /24 as a connected VLAN and didn't have any way to hit the Fortigate IP directly anymore. My thought is why can't I redistribute a /32 to the Fortigate LAN IP through OSPF to make sure that fails over automatically. But I can't find anything on that anywhere. 

 

I did see about redistributing a loopback through OSPF, but I can't get the SSLVPN auth to originate from a loopback interface as far as I can tell. So if anyone can tell me a way to redistribute that /32 interface IP or if there's another way to get this working otherwise, I would greatly appreciate it.

 

Thank you very much.

1 Solution
lobstercreed

Ah, no, my auth originates from my management IP but I believe you can set it to originate from the IP of another interface by using the command set source-ip in your RADIUS config.

 

Here is an article about that:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127

 

And here is one that may help if you're using LDAP (I'm not familiar with using that for VPN):

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38942

View solution in original post

4 REPLIES 4
lobstercreed
Valued Contributor

You absolutely can use a loopback for the SSL-VPN.  Not sure I follow how it solves all this, but I know that can be done because I do it to solve multi-homed internet connections.  I use an IP from my BGP-advertised space and created a VIP to point to the loopback interface where the SSL-VPN is listening.

chambersb7

So let me just make sure I'm understanding your setup. 

 

You have a VIP for a public IP, let's just say it's 1.1.1.1 pointing to a loopback interface internal like 172.16.1.1 and then your LDAP/RADIUS or other auth server sees the SSLVPN traffic and SSLVPN auth traffic originating from 172.16.1.1?

lobstercreed

Ah, no, my auth originates from my management IP but I believe you can set it to originate from the IP of another interface by using the command set source-ip in your RADIUS config.

 

Here is an article about that:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127

 

And here is one that may help if you're using LDAP (I'm not familiar with using that for VPN):

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38942

chambersb7

The second link was the one that I needed. It took me a couple days to get a maintenance window, but I was able to go in last night and create a loopback interface, redistribute that IP for that interface through OPSF, and then use the second link you gave me to set it as the source IP for LDAP. I was able to test it with failover and it worked like a charm. 

 

Thank you for all the help.