Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zeihold_von_SSL
New Contributor

OSPF route announcing via DialUp VPN

Hello everybody, I have a problem and I can' t get a proper solution. As you can see in the picture we have at least one FGT200B cluster in our headquarter (static ipv4 and ipv6 address) and two satellite boxes (FWF60C) which are behind a nat router/device. Due to the fact that the satellite boxes are behind a nat device, I can' t use " Static IP Address" nor " Dynamic DNS" for IPSec VPN configuration. So I ended up using " Dial up" vpn for setting up the site to site tunnel. But using " dial up vpn" has a big downside: There is one static interface (the ipsec interface created during vpn setup) and many dynamic interface named <vpn_interface_name>_n (where _n is the number of connected clients). This is okay if you have multiple ipsec clients and one ipsec server. But I want to connect two fortigate units. The real problem is that I can' t get ospf running in this configuration. I don' t know if there is a way to get ospf running in this scenario. I didn' t find one until now. But maybe one of you has an idea how I can get this setup up and running (route announcing with ospf over an dial up ipsec tunnel).

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
7 REPLIES 7
Zeihold_von_SSL
New Contributor

I found yesterday a Link to a document from Fortinet China which describe exactly what I need: [strike]http://support.fortinet.c.../document/120607_1.pdf[/strike]

 

http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=19&id=45

I will try to set up this scenario as described and report back. :)

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
Zeihold_von_SSL
New Contributor

This setup workes perfect! Solved my problem and I' am very happy now. Thank you Fortinet. :) The only thing that don' t work is " text" authentication. This ends up in a communication error between both sides. I' ll open up a support ticket and inform my fortinet partner.

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
jgauthier
New Contributor

Hi René, I' m facing the same issue here... would it be possible for you to send me that document ? The site that had it seems unreachable. Thanks JF
journeyman

JF we do ospf over ipsec via nat. Our nat outside address is static, not obvious in the original example. FGT1 -- wan -- nat -- FGT2 We use ipsec interface mode not dialup. Happy to provide more details if this is the problem you' re solving?
Zeihold_von_SSL
New Contributor

Hi JF, you can download the file from my blog. The URL is: https://itausleidenschaft.files.wordpress.com/2014/01/120607_1.pdf Luckly I cached it... But there is a new issue I ran into today. If you upgrade (on one box out of two) to FortiOS 5.2 the ospf adjacencies fail to form. The reason for this is a mismatched MTU between FortiGate units running different FortiOS versions. This is noticed in the release notes of 5.2.0 (p19; OSPF MTU Mismatch). But despite that setting I' am unable to get OSPF through IPsec up and running (again). I tried different MTU sized (576, 1450, 1500, ...) without any luck. Maybe someone else has an idea what is wrong... Best regards René EDIT: The solution to the mtu problem is, that you have to lookup the MTU size with " get router info ospf interface" on the device which is still running OS5.0. But I have noticed one odd thing, it seems that the mtu size does not only varies between OS versions of FortiOS but also between FGT/FWF models. I looked into the output of " get router info ospf interface" and saw two different mtu sizes (one for a FWF60C (1428) and one for a FWF60D (1436)). But maybe I' am wrong for some reason. I don' t know. After I set the mtu size on the upgraded box (which is now running OS5.2.0) it started working again.

Regards Rene ---

[size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size]

Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B

Regards Rene --- [size="1"]FCNSA.v5, FCNSP.v5, FCESP[/size] Home: FWF60D FortiAP 220B Office: FWF60C, FWF60D, FGT110C, FGT200B, FortiManager, FortiAnalyzer, FortiAP 220B
inmylab

Zeihold_von_SSL wrote:
Hi JF, you can download the file from my blog. The URL is: https://itausleidenschaft.files.wordpress.com/2014/01/120607_1.pdf Luckly I cached it... But there is a new issue I ran into today. If you upgrade (on one box out of two) to FortiOS 5.2 the ospf adjacencies fail to form. The reason for this is a mismatched MTU between FortiGate units running different FortiOS versions. This is noticed in the release notes of 5.2.0 (p19; OSPF MTU Mismatch). But despite that setting I' am unable to get OSPF through IPsec up and running (again). I tried different MTU sized (576, 1450, 1500, ...) without any luck. Maybe someone else has an idea what is wrong... Best regards René EDIT: The solution to the mtu problem is, that you have to lookup the MTU size with " get router info ospf interface" on the device which is still running OS5.0. But I have noticed one odd thing, it seems that the mtu size does not only varies between OS versions of FortiOS but also between FGT/FWF models. I looked into the output of " get router info ospf interface" and saw two different mtu sizes (one for a FWF60C (1428) and one for a FWF60D (1436)). But maybe I' am wrong for some reason. I don' t know. After I set the mtu size on the upgraded box (which is now running OS5.2.0) it started working again.

Hi, Would you still happened to have that document ? , I'm trying to set that up as well. Your link is not working. Thanks

one4spl

Also keen to get this file. Sounds perfect for me.

Labels
Top Kudoed Authors