Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dz
New Contributor

iBGP routing over IPSec (SD-WAN)

Hi Team,

 

i am currently on the testing configuration for SD-WAN using IPSec tunnel and configure the iBGP routing.

i am not experienced with Forti SDWAN, so the image below is my topology :

Screenshot 2023-10-19 163852.png

WAN using static ip public.

if i am using static route

ISP 1 /28 same subnet and ISP 2 /29 same subnet.

destination 192.168.x.0/24 via interface SDWAN, from port.7 Site A can ping to port.7 Site B.

ipsec tunnel and sdwan status is up.

and then i want to change the routing from static route to iBGP routing. but i dont get the routing table for BGP.

 

3 REPLIES 3
hbac
Staff
Staff

Hi @Dz,

 

Can you check and make sure BGP peering is up? Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-tips-for-FortiOS-routing-RIP-OSPF-BGP-st...

 

Regards, 

Dz
New Contributor

Hi @hbac ,

 

below the summary bgp routing, currently my configuration stuck on Active state.

 

Site-Branch-A (root) # get router info bgp summary
VRF 0 BGP router identifier 10.10.20.1, local AS number 65000
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.20.2 4 65000 0 0 0 0 0 never Active
10.10.30.2 4 65000 0 0 0 0 0 never Active

Total number of neighbors 2

fricci_FTNT
Staff
Staff

Hi @Dz ,

Please make sure you configure the local and remote IPs on the Tunnel interface, i.e.:

config system interface
edit "Tunnel-ISP-X"
set vdom <VDOM-name>
set ip <local-IP> 255.255.255.255     #<----make sure to set this
set type tunnel
set remote-ip <remote-IP>       #<----make sure to set this
set interface <physical-interface>
next
end

Please also make sure you can ping the remote BGP peer using the correct source IP ("exec ping-options source <local-IP>" and "exec ping <remote-IP>").
You can also run a packet sniffer in CLI (in VDOM context) to see if you send/receive ICMP or BGP packets ("diag sniffer packet any 'host x.x.x.x and (proto 1 or port 179)' 4 0 l" ).

For further info, please refer to the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Dynamic-routing-BGP-over-IPsec-tunnel/ta-...

Regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Top Kudoed Authors