BGP over dynamic IPsec
This example shows how to create a dynamic IPsec VPN tunnel that allows BGP.
Configuring IPsec on FortiGate 1
- Go to Policy & Objects > Objects > Addresses and select create new Address.
Name | Remote_loop_int |
Type | Subnet |
Subnet/IP Range | 10.10.10.10 |
Interface | any |
- Create an Address Group.
Group Name | VPN_DST |
Show in Address List | enable |
Members | Remote_loop_int all |
- Go to System > Status and enter the CLI Console widget.
- Create phase 1:
config vpn ipsec phase1-interface
edit Dialup
set type dynamic
set interface wan1
set mode aggressive
set peertype one
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set peerid dial
set assign-ip disable
set psksecret
next
end
- Create phase 2:
config vpn ipsec phase2-interface
edit dial_p2
set phase1name Dialup
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-addr-type name
set src-name all
set dst-name VPN_DST
next
end
Configuring BGP on FortiGate 1
- Go to System > Network > Interfaces and create a Loopback interface.
- Set IP/Network Mask to 20.20.20.20/255.255.255.255.
- Go to System > Status and enter the CLI Console widget.
- Create a BGP route.
config router bgp
set as 100
set router-id 1.1.1.1
config neighbor
edit 10.10.10.10
set ebgp-enforce-multihop enable
set remote-as 200
set update-source loop
next
end
config redistribute connected
set status enable
end
end
Adding policies on FortiGate 1
- Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from Dialup to loop interfaces.
- Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from loop to Dialup interfaces.
Configuring IPsec on FortiGate 2
- Go to System > Status and enter the CLI Console widget.
- Create phase 1:
config vpn ipsec phase1-interface
edit Dialup
set interface wan1
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set localid dial
set remote-gw 172.20.120.22
set assign-ip disable
set psksecret
next
end
- Create phase 2:
config vpn ipsec phase2-interface
edit dial_p2
set phase1name Dialup
set proposal 3des-sha1 aes128-sha1
set keepalive enable
next
end
Configuring BGP on FortiGate 2
- Go to System > Network > Interfaces and create a Loopback interface.
- Set IP/Network Mask to 10.10.10.10/255.255.255.255.
- Go to System > Status and enter the CLI Console widget.
- Create a BGP route.
config router bgp
set as 200
set router-id 1.1.1.2
config neighbor
edit 20.20.20.20
set ebgp-enforce-multihop enable
set remote-as 100
set update-source loop
next
end
config redistribute connected
set status enable
end
end
Adding policies on FortiGate 2
- Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from Dialup to loop interfaces.
- Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from loop to Dialup interfaces.
Adding a static route on FortiGate 2
Go to Router > Static > Static Routes and add a route to the remote Loopback interface via Dialup interface.
Destination IP/Mask | 20.20.20.20/255.255.255.255 |
Device | Dialup |
Administrative Distance | 10 |
Verifying the tunnel is up
Go to VPN > Monitor > IPsec Monitor to verify that the tunnel is Up.
Results
- From FortiGate 1, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
- From FortiGate 1, go to System > Status.
- Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary
- From FortiGate 2, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
- From FortiGate 2, go to System > Status.
- Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary