Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dz
New Contributor

Created on ‎10-19-2023 02:45 AM

iBGP routing over IPSec (SD-WAN)

Hi Team,

 

i am currently on the testing configuration for SD-WAN using IPSec tunnel and configure the iBGP routing.

i am not experienced with Forti SDWAN, so the image below is my topology :

Screenshot 2023-10-19 163852.png

WAN using static ip public.

if i am using static route

ISP 1 /28 same subnet and ISP 2 /29 same subnet.

destination 192.168.x.0/24 via interface SDWAN, from port.7 Site A can ping to port.7 Site B.

ipsec tunnel and sdwan status is up.

and then i want to change the routing from static route to iBGP routing. but i dont get the routing table for BGP.

 

Labels:
1651
0 Kudos
3 REPLIES 3
hbac
Staff
Staff

Created on ‎10-19-2023 08:27 AM

Hi @Dz,

 

Can you check and make sure BGP peering is up? Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-tips-for-FortiOS-routing-RIP-OSPF-BGP-st...

 

Regards, 

1633
0 Kudos
Dz
New Contributor
In response to hbac

Created on ‎10-19-2023 08:18 PM

Hi @hbac ,

 

below the summary bgp routing, currently my configuration stuck on Active state.

 

Site-Branch-A (root) # get router info bgp summary
VRF 0 BGP router identifier 10.10.20.1, local AS number 65000
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.20.2 4 65000 0 0 0 0 0 never Active
10.10.30.2 4 65000 0 0 0 0 0 never Active

Total number of neighbors 2

1612
0 Kudos
fricci_FTNT
Staff
Staff

Created on ‎10-20-2023 03:45 AM

Hi @Dz ,

Please make sure you configure the local and remote IPs on the Tunnel interface, i.e.:

config system interface
edit "Tunnel-ISP-X"
set vdom <VDOM-name>
set ip <local-IP> 255.255.255.255     #<----make sure to set this
set type tunnel
set remote-ip <remote-IP>       #<----make sure to set this
set interface <physical-interface>
next
end

Please also make sure you can ping the remote BGP peer using the correct source IP ("exec ping-options source <local-IP>" and "exec ping <remote-IP>").
You can also run a packet sniffer in CLI (in VDOM context) to see if you send/receive ICMP or BGP packets ("diag sniffer packet any 'host x.x.x.x and (proto 1 or port 179)' 4 0 l" ).

For further info, please refer to the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Dynamic-routing-BGP-over-IPsec-tunnel/ta-...

Regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
1602
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.