Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ferryblu3
Visitor

Created on ‎10-10-2024 09:21 PM

Route Branch FGT to BGP via Site to Site VPN

Topology.png

 

Hi all, I have some question regarding the routing in FortiGate here. I have attached the topology here for better understanding. I only have a control of ID FortiGate and cannot see the configuration on Azure WAN and other Head Office. Current condition is in the green box, all Head Office FortiGate has IPSec tunnel to Azure WAN, and I think the Azure WAN is responsible for the BGP routing to all other Head Office. From ID Head Office, I can connect to TH Head Office and JP Head Office. Everything is working well.

 

So, I have a new Branch office in ID. I can create the site-to-site VPN between ID Head Office and ID Branch, but the problem here is to connect the ID Branch to TH Head Office or JP Head Office via ID Head Office. Does anyone ever have this kind of configuration and can give me suggestions about how to configure it?

 

Thank you.

Labels:
71
0 Kudos
2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-10-2024 11:58 PM Edited on ‎10-11-2024 12:01 AM

You need to understand the BGP topology with AS number on each FGT. It's under "config router bgp" in CLI. Especially inside of "config neighbor". It would look like below:

config router bgp
  set as 65070
  set router-id 192.168.199.253
  config neighbor
    edit "10.x.x.253"
      set shutdown enable
      set soft-reconfiguration enable
      set remote-as 65528
      set route-map-out "Announce-Primary"
      set send-community standard
    next
    edit "10.x.x.121"
      set soft-reconfiguration enable
      set remote-as 65528
      set route-map-out "Announce-Office"
      set send-community standard
    next
  end
  config redistribute "connected"
    set status enable
  end
  <snip>

Share us this part of config after masking some sensible info.
Above is my home 40F's BGP config. It has two neighbors configured but one of them is "shutdown" so only the second neighbor is active. The neibor is connected over an IPsec and 10.x.x.121 is configured on the neighbor FGT's IPsec interface. And it's getting routes from AS=65528 over eBGP (because its own AS is 65070).

 

Toshi

41
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-11-2024 12:21 AM Edited on ‎10-11-2024 12:23 AM

And if you know TH Head Office subnet, say x.x.x.0/24, you can try "get router info bgp network x.x.x.0/24", just like below:

fg40f-utm (root) # get router info bgp network 10.0.94.0/24
VRF 0 BGP routing table entry for 10.0.94.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  Original VRF 0
  65528 yyyyy
    10.x.x.121 from 10.x.x.121 (z.z.z.z)
      Origin incomplete metric 0, localpref 100, valid, external, best
      Last update: Fri Sep 20 22:37:13 2024

The important info in above output is the AS list. It's showing the 10.0.94.0/24 was originally advertised from AS=yyyy. Then AS=yyyy readvertised it to AS=65528. Then my 40F got it from the neighbor 65528.

Toshi

37
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.