Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ferryblu3
New Contributor

Route Branch FGT to BGP via Site to Site VPN

Topology.png

 

Hi all, I have some question regarding the routing in FortiGate here. I have attached the topology here for better understanding. I only have a control of ID FortiGate and cannot see the configuration on Azure WAN and other Head Office. Current condition is in the green box, all Head Office FortiGate has IPSec tunnel to Azure WAN, and I think the Azure WAN is responsible for the BGP routing to all other Head Office. From ID Head Office, I can connect to TH Head Office and JP Head Office. Everything is working well.

 

So, I have a new Branch office in ID. I can create the site-to-site VPN between ID Head Office and ID Branch, but the problem here is to connect the ID Branch to TH Head Office or JP Head Office via ID Head Office. Does anyone ever have this kind of configuration and can give me suggestions about how to configure it?

 

Thank you.

1 Solution
ferryblu3
New Contributor

Hi Toshi,

 

Thanks for your reply here. The thing is, from what I know and told, the BGP is already setup to automatically connect if there is some new branch in every country.

 

I already solved this case, I just need to add some network like loopback interface, BGP peer address, and the destination that I want to access in the site-to-site VPN between head office and branch. The thing is, I don't know why when I try to trace route, there is an IP of 10.10.10.1 which I don't know what it is. This IP appear after the FortiGate local IP. This IP seem look like the default IP of DMZ in FortiGate. When I change the DMZ IP to other like 10.10.20.1, the tunnel suddenly working fine. I don't see any of this IP in branch network and head office network other than DMZ interface, that's why I still a bit confused about this. But, since the connection is established and the user can connect to the other country server, for now, it's fine.

 

Thank you.

View solution in original post

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

You need to understand the BGP topology with AS number on each FGT. It's under "config router bgp" in CLI. Especially inside of "config neighbor". It would look like below:

config router bgp
  set as 65070
  set router-id 192.168.199.253
  config neighbor
    edit "10.x.x.253"
      set shutdown enable
      set soft-reconfiguration enable
      set remote-as 65528
      set route-map-out "Announce-Primary"
      set send-community standard
    next
    edit "10.x.x.121"
      set soft-reconfiguration enable
      set remote-as 65528
      set route-map-out "Announce-Office"
      set send-community standard
    next
  end
  config redistribute "connected"
    set status enable
  end
  <snip>

Share us this part of config after masking some sensible info.
Above is my home 40F's BGP config. It has two neighbors configured but one of them is "shutdown" so only the second neighbor is active. The neibor is connected over an IPsec and 10.x.x.121 is configured on the neighbor FGT's IPsec interface. And it's getting routes from AS=65528 over eBGP (because its own AS is 65070).

 

Toshi

Toshi_Esumi
SuperUser
SuperUser

And if you know TH Head Office subnet, say x.x.x.0/24, you can try "get router info bgp network x.x.x.0/24", just like below:

fg40f-utm (root) # get router info bgp network 10.0.94.0/24
VRF 0 BGP routing table entry for 10.0.94.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  Original VRF 0
  65528 yyyyy
    10.x.x.121 from 10.x.x.121 (z.z.z.z)
      Origin incomplete metric 0, localpref 100, valid, external, best
      Last update: Fri Sep 20 22:37:13 2024

The important info in above output is the AS list. It's showing the 10.0.94.0/24 was originally advertised from AS=yyyy. Then AS=yyyy readvertised it to AS=65528. Then my 40F got it from the neighbor 65528.

Toshi

ferryblu3
New Contributor

Hi Toshi,

 

Thanks for your reply here. The thing is, from what I know and told, the BGP is already setup to automatically connect if there is some new branch in every country.

 

I already solved this case, I just need to add some network like loopback interface, BGP peer address, and the destination that I want to access in the site-to-site VPN between head office and branch. The thing is, I don't know why when I try to trace route, there is an IP of 10.10.10.1 which I don't know what it is. This IP appear after the FortiGate local IP. This IP seem look like the default IP of DMZ in FortiGate. When I change the DMZ IP to other like 10.10.20.1, the tunnel suddenly working fine. I don't see any of this IP in branch network and head office network other than DMZ interface, that's why I still a bit confused about this. But, since the connection is established and the user can connect to the other country server, for now, it's fine.

 

Thank you.

Toshi_Esumi
SuperUser
SuperUser

What AS did you configure at ID branch FGT? Same as ID Headoffice FGT?
You better figure out AS scheme first before you need to add another office in the mix. If you add another ID branch cascading from the current branch, if AS is the same, it wouldn't work because iBGP (same AS) learned route wouldn't be advertised to another iBGP neighbor.

You seem to have some routing issues from the ID branch through the AWS. check what's in the routing table with "get router info routing-table all" at the branch FGT, then run a "tracert" from your machine at the branch while the DMZ interface has the original IP.
If the FGT has learned the destination ip over BGP over IPsec, you should have the route for the destination in the routing table w/ the next hop/gateway wouild be the ID headoffice FGT.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors