Created on 05-31-2022 05:36 AM Edited on 05-31-2022 03:37 PM By Anonymous
Description |
This article describes how to configure OSPF over a dynamic tunnel with 'net-device disable' and 'mode config'. |
Scope | FortiGate |
Solution |
The topology consists of two firewalls, in a hub and spoke topology.
Overlay IPs of the Spokes (10.10.10.x) can be provisioned either manually or automatically, using IKE mode-config.
In this example we will use IKE mode-config.
Configuration on the HUB.
Tunnel Interface configuration:
# config system interface edit "TO_SPOKE" set vdom "root" set ip 10.10.10.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.10.10.254 255.255.255.0 set snmp-index 24 set interface "port7" next end
IPsec configuration:
# config vpn ipsec phase1-interface edit "TO_SPOKES" set type dynamic set interface "port7" set keylife 3600 set mode aggressive set peertype any set net-device disable set exchange-interface-ip enable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set dhgrp 14 set tunnel-search nexthop set ipv4-start-ip 10.10.10.2 set ipv4-end-ip 10.10.10.253 set ipv4-netmask 255.255.255.0 set psksecret ENC my_encrypted_password set dpd-retryinterval 60 next end
# config vpn ipsec phase2-interface edit "TO_SPOKES" set phase1name "TO_SPOKES " set proposal aes256-sha256 set dhgrp 14 set keylifeseconds 1800 next end
OSPF configuration:
# config router ospf set router-id 10.10.10.1 # config area edit 0.0.0.0 next end
# config ospf-interfac edit "TO_SPOKES" set interface "TO_SPOKES" set dead-interval 40 set hello-interval 10 set mtu-ignore enable set network-type point-to-multipoint next end
# config network edit 1 set prefix 172.16.103.0 255.255.255.0 next edit 2 set prefix 10.10.10.0 255.255.255.0 next
Spoke configuration.
Tunnel interface configuration:
# config system interface edit "TO_HUB" set vdom "root" set allowaccess ping set type tunnel set snmp-index 27 set interface "port16" next end
IPsec configuration:
# config vpn ipsec phase1-interface edit "TO_HUB" set interface "port16" set keylife 3600 set mode aggressive set peertype any set net-device disable set exchange-interface-ip enable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dhgrp 14 set remote-gw 192.168.103.1 set psksecret ENC my_encrypted password next end
# config vpn ipsec phase2-interface edit "TO_HUB" set phase1name "TO_HUB" set proposal aes256-sha256 set dhgrp 14 set auto-negotiate enable set keylifeseconds 1800 next end
OSPF configuration:
# config router ospf set router-id 10.10.10.2 # config area edit 0.0.0.0 next end
# config ospf-interface edit "TO_HUB" set interface "TO_HUB" set mtu-ignore enable set network-type point-to-point next end
# config network edit 1 set prefix 172.16.104.0 255.255.255.0 next edit 2 set prefix 10.10.10.0 255.255.255.0 next end
Result.
# get router info ospf neighbor |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.