Hi all, I have some question regarding the routing in FortiGate here. I have attached the topology here for better understanding. I only have a control of ID FortiGate and cannot see the configuration on Azure WAN and other Head Office. Current condition is in the green box, all Head Office FortiGate has IPSec tunnel to Azure WAN, and I think the Azure WAN is responsible for the BGP routing to all other Head Office. From ID Head Office, I can connect to TH Head Office and JP Head Office. Everything is working well.
So, I have a new Branch office in ID. I can create the site-to-site VPN between ID Head Office and ID Branch, but the problem here is to connect the ID Branch to TH Head Office or JP Head Office via ID Head Office. Does anyone ever have this kind of configuration and can give me suggestions about how to configure it?
Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Toshi,
Thanks for your reply here. The thing is, from what I know and told, the BGP is already setup to automatically connect if there is some new branch in every country.
I already solved this case, I just need to add some network like loopback interface, BGP peer address, and the destination that I want to access in the site-to-site VPN between head office and branch. The thing is, I don't know why when I try to trace route, there is an IP of 10.10.10.1 which I don't know what it is. This IP appear after the FortiGate local IP. This IP seem look like the default IP of DMZ in FortiGate. When I change the DMZ IP to other like 10.10.20.1, the tunnel suddenly working fine. I don't see any of this IP in branch network and head office network other than DMZ interface, that's why I still a bit confused about this. But, since the connection is established and the user can connect to the other country server, for now, it's fine.
Thank you.
You need to understand the BGP topology with AS number on each FGT. It's under "config router bgp" in CLI. Especially inside of "config neighbor". It would look like below:
config router bgp
set as 65070
set router-id 192.168.199.253
config neighbor
edit "10.x.x.253"
set shutdown enable
set soft-reconfiguration enable
set remote-as 65528
set route-map-out "Announce-Primary"
set send-community standard
next
edit "10.x.x.121"
set soft-reconfiguration enable
set remote-as 65528
set route-map-out "Announce-Office"
set send-community standard
next
end
config redistribute "connected"
set status enable
end
<snip>
Share us this part of config after masking some sensible info.
Above is my home 40F's BGP config. It has two neighbors configured but one of them is "shutdown" so only the second neighbor is active. The neibor is connected over an IPsec and 10.x.x.121 is configured on the neighbor FGT's IPsec interface. And it's getting routes from AS=65528 over eBGP (because its own AS is 65070).
Toshi
And if you know TH Head Office subnet, say x.x.x.0/24, you can try "get router info bgp network x.x.x.0/24", just like below:
fg40f-utm (root) # get router info bgp network 10.0.94.0/24
VRF 0 BGP routing table entry for 10.0.94.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
65528 yyyyy
10.x.x.121 from 10.x.x.121 (z.z.z.z)
Origin incomplete metric 0, localpref 100, valid, external, best
Last update: Fri Sep 20 22:37:13 2024
The important info in above output is the AS list. It's showing the 10.0.94.0/24 was originally advertised from AS=yyyy. Then AS=yyyy readvertised it to AS=65528. Then my 40F got it from the neighbor 65528.
Toshi
Hi Toshi,
Thanks for your reply here. The thing is, from what I know and told, the BGP is already setup to automatically connect if there is some new branch in every country.
I already solved this case, I just need to add some network like loopback interface, BGP peer address, and the destination that I want to access in the site-to-site VPN between head office and branch. The thing is, I don't know why when I try to trace route, there is an IP of 10.10.10.1 which I don't know what it is. This IP appear after the FortiGate local IP. This IP seem look like the default IP of DMZ in FortiGate. When I change the DMZ IP to other like 10.10.20.1, the tunnel suddenly working fine. I don't see any of this IP in branch network and head office network other than DMZ interface, that's why I still a bit confused about this. But, since the connection is established and the user can connect to the other country server, for now, it's fine.
Thank you.
What AS did you configure at ID branch FGT? Same as ID Headoffice FGT?
You better figure out AS scheme first before you need to add another office in the mix. If you add another ID branch cascading from the current branch, if AS is the same, it wouldn't work because iBGP (same AS) learned route wouldn't be advertised to another iBGP neighbor.
You seem to have some routing issues from the ID branch through the AWS. check what's in the routing table with "get router info routing-table all" at the branch FGT, then run a "tracert" from your machine at the branch while the DMZ interface has the original IP.
If the FGT has learned the destination ip over BGP over IPsec, you should have the route for the destination in the routing table w/ the next hop/gateway wouild be the ID headoffice FGT.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.