FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 14 - IPsec VPN > OSPF over dynamic IPsec

OSPF over dynamic IPsec

This example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.

Configuring IPsec on FortiGate 1

  1. Go to System > Status and enter the CLI Console widget
  2. Create phase 1:

config vpn ipsec phase1-interface

edit "dial-up"

set type dynamic

set interface "wan1"

set mode-cfg enable

set proposal 3des-sha1

set add-route disable

set ipv4-start-ip 10.10.101.0

set ipv4-end-ip 10.10.101.255

set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface

edit "dial-up-p2"

set phase1name "dial-up"

set proposal 3des-sha1 aes128-sha1

next

end

Configuring OSPF on FortiGate 1

  1. Go to System > Status and enter the CLI Console widget.
  2. Create OSPF route.

config router ospf

set router-id 172.20.120.22

config area

edit 0.0.0.0

next

end

config network

edit 1

set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute "connected"

set status enable

end

config redistribute "static"

set status enable

end

end

Adding policies on FortiGate 1

  1. Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up to port5.
  2. Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up interfaces.

Configuring IPsec on FortiGate 2

  1. Go to System > Status and enter the CLI Console widget
  2. Create phase 1:

config vpn ipsec phase1-interface

edit "dial-up-client"

set interface "wan1"

set mode-cfg enable

set proposal 3des-sha1

set add-route disable

set remote-gw 172.20.120.22

set psksecret

next

end

 

  1. Create phase 2:

config vpn ipsec phase2-interface

edit "dial-up-client"

set phase1name "dial-up-client"

set proposal 3des-sha1 aes128-sha1

set auto-negotiate enable

next

end

Configuring OSPF on FortiGate 2

  1. Go to System > Status and enter the CLI Console widget.
  2. Create OSPF route.

config router ospf

set router-id 172.20.120.15

config area

edit 0.0.0.0

next

end

config network

edit 1

set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute "connected"

set status enable

end

config redistribute "static"

set status enable

end

end

Adding policies on FortiGate 2

  1. Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from dial-up-client to port5.
  2. Go to Policy & Objects > Policy > IPv4 and create a policy allowing OSPF traffic from port5 to dial-up-client interfaces.

Verifying the tunnel is up

Go to VPN > Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
  2. From FortiGate 1, go to System > Status. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

 

  1. From FortiGate 2, go to Router > Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
  2. From FortiGate 2, go to System > Status. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

 

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy