Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Adding addresses to the tunnel interfaces

The BGP configuration requires IP addresses assigned to the IPsec VPN tunnel interfaces that BGP peers over. The ADVPN feature enabled by set auto-discovery-sender enable allows FortiOS to establish a point-to-multipoint connection to each FortiGate.

The IPsec VPN tunnel interface ip is set to the IP address that the tunnels will connect to, and remote-ip is set to the highest unused IP address that is part of your tunnel network. This adds two host-based routes to the FortiGate’s routing table that point directly back to the branch FortiGate.

The IPsec VPN interface configuration includes:
  • Setting the ip to <vpn interface ip> 255.255.255.255
  • Setting type to tunnel
  • Setting remote-ip to the highest unused IP address in the VPN subnet
  • Setting allowaccess to ping to allow for confirmation that a point-to-point tunnel has been established between the data center FortiGate and the branch FortiGate.

config system interface

edit "vpn-br1-1"

set vdom "root"

set ip 10.254.0.1 255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.0.254/24

set interface "port1"

next

edit "vpn-br1-2"

set vdom

"root"

set ip 10.254.1.1. 255.255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.1.254/24

set interface "port2"

end

Adding addresses to the tunnel interfaces

The BGP configuration requires IP addresses assigned to the IPsec VPN tunnel interfaces that BGP peers over. The ADVPN feature enabled by set auto-discovery-sender enable allows FortiOS to establish a point-to-multipoint connection to each FortiGate.

The IPsec VPN tunnel interface ip is set to the IP address that the tunnels will connect to, and remote-ip is set to the highest unused IP address that is part of your tunnel network. This adds two host-based routes to the FortiGate’s routing table that point directly back to the branch FortiGate.

The IPsec VPN interface configuration includes:
  • Setting the ip to <vpn interface ip> 255.255.255.255
  • Setting type to tunnel
  • Setting remote-ip to the highest unused IP address in the VPN subnet
  • Setting allowaccess to ping to allow for confirmation that a point-to-point tunnel has been established between the data center FortiGate and the branch FortiGate.

config system interface

edit "vpn-br1-1"

set vdom "root"

set ip 10.254.0.1 255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.0.254/24

set interface "port1"

next

edit "vpn-br1-2"

set vdom

"root"

set ip 10.254.1.1. 255.255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.1.254/24

set interface "port2"

end