Description
This article contains the settings required in order to enable dynamic routing (BGP here) over an IPsec static tunnel.
Scope
FortiGate.
Solution
The 'ip' and 'remote-ip' commands must be set for both tunnel interfaces (see diagram below). These IP addresses are used to terminate the tunnel IP connectivity in order to establish BGP (or OSPF) neighboring. Without these commands the tunnel endpoint is not running IP, hence BGP is not even trying to establish any TCP session.
The CLI guide states: to use dynamic routing with the tunnel or be able to ping the tunnel interface, specify an address for the remote end of the tunnel in remote-ip and an address for this end of the tunnel in IP. This is only available if the type is tunnel.
Bear in mind that these settings are for tunnels with static IP addresses.
This document will be updated at a later date for the dial-up tunnel.
Extracts of CLI Configuration setting's for left FortiGate (FW rules not shown here)
The CLI guide states: to use dynamic routing with the tunnel or be able to ping the tunnel interface, specify an address for the remote end of the tunnel in remote-ip and an address for this end of the tunnel in IP. This is only available if the type is tunnel.
Bear in mind that these settings are for tunnels with static IP addresses.
This document will be updated at a later date for the dial-up tunnel.
Extracts of CLI Configuration setting's for left FortiGate (FW rules not shown here)
config system interface
edit "port13"
set vdom "External"
set ip 10.115.2.97 255.255.240.0
set type physical
next
edit "Tunnel1"
set vdom "External"
set ip 11.11.11.97 255.255.255.255 (use whatever IP is required)
set type tunnel
set remote-ip 11.11.11.130 (use whatever IP is required)
set interface "port13"
------------------------------------------------------------------
config vpn ipsec phase1-interface
edit "Tunnel1"
set interface "port13"
set nattraversal disable
set remote-gw 10.115.1.130
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "Tunnel1-P2"
set phase1name "Tunnel1"
set keepalive enable
set auto-negotiate enable
end
------------------------------------------------------------------
config router bgp
set as 65002
set router-id 192.168.1.97
config neighbor
edit "11.11.11.130"
set remote-as 65003
end
edit "port13"
set vdom "External"
set ip 10.115.2.97 255.255.240.0
set type physical
next
edit "Tunnel1"
set vdom "External"
set ip 11.11.11.97 255.255.255.255 (use whatever IP is required)
set type tunnel
set remote-ip 11.11.11.130 (use whatever IP is required)
set interface "port13"
------------------------------------------------------------------
config vpn ipsec phase1-interface
edit "Tunnel1"
set interface "port13"
set nattraversal disable
set remote-gw 10.115.1.130
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "Tunnel1-P2"
set phase1name "Tunnel1"
set keepalive enable
set auto-negotiate enable
end
------------------------------------------------------------------
config router bgp
set as 65002
set router-id 192.168.1.97
config neighbor
edit "11.11.11.130"
set remote-as 65003
end
Extracts of CLI Configuration setting for the right FortiGate:
config system interface
edit "port2"
set vdom "root"
set ip 10.115.1.130 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 2
next
edit "Tunnel1"
set vdom "root"
set ip 11.11.11.130 255.255.255.255 (use whatever IP is required)
set type tunnel
set remote-ip 11.11.11.97 (use whatever IP is required)
set interface "port2"
------------------------------------------------------------------
config vpn ipsec phase1-interface
edit "Tunnel1"
set interface "port2"
set remote-gw 10.115.2.97
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "Tunnel1-P2"
set phase1name "Tunnel1"
set auto-negotiate enable
end
------------------------------------------------------------------
config router bgp
set as 65003
set router-id 192.168.1.130
config neighbor
edit "11.11.11.97"
set remote-as 65002
end
-------------------------------------------------------------------
config firewall policy
edit 3
set srcintf "Tunnel1"
set dstintf "port3"
set action accept
set service "ALL"
next
edit 4
set srcintf "port3"
set dstintf "Tunnel1"
set action accept
set service "ALL"
edit "port2"
set vdom "root"
set ip 10.115.1.130 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 2
next
edit "Tunnel1"
set vdom "root"
set ip 11.11.11.130 255.255.255.255 (use whatever IP is required)
set type tunnel
set remote-ip 11.11.11.97 (use whatever IP is required)
set interface "port2"
------------------------------------------------------------------
config vpn ipsec phase1-interface
edit "Tunnel1"
set interface "port2"
set remote-gw 10.115.2.97
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "Tunnel1-P2"
set phase1name "Tunnel1"
set auto-negotiate enable
end
------------------------------------------------------------------
config router bgp
set as 65003
set router-id 192.168.1.130
config neighbor
edit "11.11.11.97"
set remote-as 65002
end
-------------------------------------------------------------------
config firewall policy
edit 3
set srcintf "Tunnel1"
set dstintf "port3"
set action accept
set service "ALL"
next
edit 4
set srcintf "port3"
set dstintf "Tunnel1"
set action accept
set service "ALL"
Verification of BGP sessions:
FG-Left # get router info bgp neighbor
BGP neighbor is 11.11.11.130, remote AS 65003, local AS 65002, external link
BGP version 4, remote router ID 192.168.1.130
BGP state = Established, up for 00:09:44
.
Connections established 1; dropped 0
Local host: 11.11.11.97, Local port: 179
Foreign host: 11.11.11.130, Foreign port: 1375
Nexthop: 11.11.11.97
--------------------------------------------------------------------------
FG-Right # get router info bgp neighbor
BGP neighbor is 11.11.11.97, remote AS 65002, local AS 65003, external link
BGP version 4, remote router ID 192.168.1.2
BGP state = Established, up for 00:08:16
.
Connections established 1; dropped 0
Local host: 11.11.11.130, Local port: 1375
Foreign host: 11.11.11.97, Foreign port: 179
BGP neighbor is 11.11.11.130, remote AS 65003, local AS 65002, external link
BGP version 4, remote router ID 192.168.1.130
BGP state = Established, up for 00:09:44
.
Connections established 1; dropped 0
Local host: 11.11.11.97, Local port: 179
Foreign host: 11.11.11.130, Foreign port: 1375
Nexthop: 11.11.11.97
--------------------------------------------------------------------------
FG-Right # get router info bgp neighbor
BGP neighbor is 11.11.11.97, remote AS 65002, local AS 65003, external link
BGP version 4, remote router ID 192.168.1.2
BGP state = Established, up for 00:08:16
.
Connections established 1; dropped 0
Local host: 11.11.11.130, Local port: 1375
Foreign host: 11.11.11.97, Foreign port: 179
Nexthop: 11.11.11.130 In the above configuration for both FortiGates, the IPsec phase 2 proxy or selector settings are 0.0.0.0, as such all subnet traffic will be allowed through the tunnel.
In the case where the IPsec configuration has specific phase 2 settings that allow traffic in the tunnel for the specified subnet alone, then the corresponding phase 2 must be added with the tunnel interface IPs. This is explained below using the setup that was given above:
For the left FortiGate:
config vpn ipsec phase2-interface
edit "Tunnel1-P2"
set src-subnet 11.11.11.97 255.255.255.255
set dst-subnet 11.11.11.130 255.255.255.255
end
For the right FortiGate:
config vpn ipsec phase2-interface
edit "Tunnel1-P2"
set src-subnet 11.11.11.130 255.255.255.255
set dst-subnet 11.11.11.97 255.255.255.255
end
BGP CLI command for troubleshooting and verification:
get router info bgp summary
get router info bgp neighbors < neighbor IP>
get router info bgp neighbors < neighbor IP> received-routes
execute router clear bgp ip < neighbor IP> soft /in /out
get router info bgp network <A.B.C.D/E>
get router info bgp neighbors < neighbor IP>
get router info bgp neighbors < neighbor IP> received-routes
execute router clear bgp ip < neighbor IP> soft /in /out
get router info bgp network <A.B.C.D/E>
Related articles:
- Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
- Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)
- Troubleshooting Tip: IPsec VPNs tunnels
- Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
- Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
- Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
- Technical Tip: How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
- Technical Tip: IPsec dial-up full tunnel with FortiClient
- Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
- Technical Tip: OSPF with IPSec VPN for network redundancy
- Technical Tip: Dynamic dial-up VPN with OSPF
- Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
- Technical Tip: 'set net-device' new route-based IPsec logic
- Technical Tip: Simple OCVPN deployment
- Technical Tip: SD-WAN integration with OCVPN
- Technical Tip: Configure IPsec VPN with SD-WAN
- Technical Tip: SD-WAN with DDNS type IPsec
- Technical Tip: SD-WAN primary and backup IPsec tunnel Scenario
- Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
- Technical Note: Configuring more than one Main-Mode Pre-Shared Key (PSK) *dial-up* IPSec phase1 on a...
- Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
- Technical Tip: Hard timeout for Dialup IPsec VPN Tunnel
Troubleshooting Tip: Troubleshooting BGP over IPsec
