FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > BGP over dynamic IPsec

BGP over dynamic IPsec

This example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

Configuring IPsec on FortiGate 1

  1. Go to Policy & Objects > Objects > Addresses and select create new Address.
Name Remote_loop_int
Type Subnet
Subnet/IP Range 10.10.10.10
Interface any
  1. Create an Address Group.
Group Name VPN_DST
Show in Address List enable
Members Remote_loop_int
all
  1. Go to System > Status and enter the CLI Console widget.
  2. Create phase 1:

config vpn ipsec phase1-interface

edit Dialup

set type dynamic

set interface wan1

set mode aggressive

set peertype one

set mode-cfg enable

set proposal 3des-sha1 aes128-sha1

set peerid dial

set assign-ip disable

set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface

edit dial_p2

set phase1name Dialup

set proposal 3des-sha1 aes128-sha1

set src-addr-type name

set dst-addr-type name

set src-name all

set dst-name VPN_DST

next

end

Configuring BGP on FortiGate 1

  1. Go to System > Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 20.20.20.20/255.255.255.255.
  3. Go to System > Status and enter the CLI Console widget.
  4. Create a BGP route.

config router bgp

set as 100

set router-id 1.1.1.1

config neighbor

edit 10.10.10.10

set ebgp-enforce-multihop enable

set remote-as 200

set update-source loop

next

end

config redistribute connected

set status enable

end

end

Adding policies on FortiGate 1

  1. Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from Dialup to loop interfaces.
  2. Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from loop to Dialup interfaces.

Configuring IPsec on FortiGate 2

  1. Go to System > Status and enter the CLI Console widget.
  2. Create phase 1:

config vpn ipsec phase1-interface

edit Dialup

set interface wan1

set mode aggressive

set mode-cfg enable

set proposal 3des-sha1 aes128-sha1

set localid dial

set remote-gw 172.20.120.22

set assign-ip disable

set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface

edit dial_p2

set phase1name Dialup

set proposal 3des-sha1 aes128-sha1

set keepalive enable

next

end

Configuring BGP on FortiGate 2

  1. Go to System > Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 10.10.10.10/255.255.255.255.
  3. Go to System > Status and enter the CLI Console widget.
  4. Create a BGP route.

config router bgp

set as 200

set router-id 1.1.1.2

config neighbor

edit 20.20.20.20

set ebgp-enforce-multihop enable

set remote-as 100

set update-source loop

next

end

config redistribute connected

set status enable

end

end

Adding policies on FortiGate 2

  1. Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from Dialup to loop interfaces.
  2. Go to Policy & Objects > Policy > IPv4 and create a policy allowing BGP traffic from loop to Dialup interfaces.

Adding a static route on FortiGate 2

Go to Router > Static > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask 20.20.20.20/255.255.255.255
Device Dialup
Administrative Distance 10

Verifying the tunnel is up

Go to VPN > Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
  2. From FortiGate 1, go to System > Status.
  3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

 

  1. From FortiGate 2, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
  2. From FortiGate 2, go to System > Status.
  3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary