Fortinet black logo

Handbook

Configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:523577
Download PDF

Configuration

The section includes the procedures for setting up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection.

Creating redundant IPsec tunnels on FortiGate 1

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).
  3. Set the following:
  4. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 2’s wan1 IP

    Local Interface

    wan1 (the primary Internet-facing interface)

    Pre-shared Key

    Enter

  5. Go to VPN > IPsec Tunnels.
  6. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
  7. Set the following:
  8. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 2’s wan2 IP

    Local Interface

    wan2 (the secondary Internet-facing interface)

    Pre-shared Key

    Enter

Configuring IP addresses and OSPF on FortiGate 1

  1. Go to Network > Interfaces.
  2. Select the arrow for wan1 to expand the list.
  3. Edit the primary tunnel interface and create IP addresses.
  4. IP

    10.1.1.1

    Remote IP

    10.1.1.2

  5. Select the arrow for wan2 to expand the list.
  6. Edit the secondary tunnel interface and create IP addresses.
  7. IP

    10.2.1.1

    Remote IP

    10.2.1.2

  8. Go to Network > OSPF and enter the Router ID for FortiGate 1.
  9. Select Create New in the Area section.
  10. Add the backbone area of 0.0.0.0.
  11. Select Create New in the Networks section.
  12. Create the networks and select Area 0.0.0.0 for each one.
  13. Select Create New in the Interfaces section.
  14. Create primary and secondary tunnel interfaces.
  15. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 1

  1. Go to Policy & Objects > Addresses.
  2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
  3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy.
  2. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.

Creating redundant IPsec tunnels on FortiGate 2

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).
  3. Set the following:
  4. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 1’s wan1 IP

    Local Interface

    wan1 (the primary Internet-facing interface)

    Pre-shared Key

    Enter

  5. Go to VPN > IPsec Tunnels.
  6. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
  7. Set the following:
  8. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 1’s wan1 IP

    Local Interface

    wan2 (the secondary Internet-facing interface)

    Pre-shared Key

    Enter

Configuring IP addresses and OSPF on FortiGate 1

  1. Go to Network > Interfaces.
  2. Select the arrow for wan1 to expand the list.
  3. Edit the primary tunnel interface and create IP addresses.
  4. IP

    10.1.1.2

    Remote IP

    10.1.1.1

  5. Select the arrow for wan2 to expand the list.
  6. Edit the secondary tunnel interface and create IP addresses.
  7. IP

    10.2.1.2

    Remote IP

    10.2.1.1

  8. Go to Network > OSPF and enter the Router ID for FortiGate 2.
  9. Select Create New in the Area section.
  10. Add the backbone area of 0.0.0.0.
  11. Select Create New in the Networks section.
  12. Create the networks and select Area 0.0.0.0 for each one.
  13. Select Create New in the Interfaces section.
  14. Create primary and secondary tunnel interfaces.
  15. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 2

  1. Go to Policy & Objects > Addresses.
  2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
  3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy.
  2. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.

Results

  1. Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.
  2. Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select Apply Filter to verify the OSPF route.
  3. Verify that traffic flows via the primary tunnel:
    • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vice versa.
    • From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.
    • From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
  4. The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.
  5. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.
  6. Go to Monitor > IPsec Monitor to verify the status.
  7. Verify the routing table on FortiGate 1 and FortiGate 2.
    The secondary OSPF route (with cost = 100) appears on both FortiGate units.
  8. Go to Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
  9. Verify that traffic flows via the secondary tunnel:
  • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind FortiGate 2 and vice versa.
  • From PC1, you should see that the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.
  • From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.

Configuration

The section includes the procedures for setting up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection.

Creating redundant IPsec tunnels on FortiGate 1

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).
  3. Set the following:
  4. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 2’s wan1 IP

    Local Interface

    wan1 (the primary Internet-facing interface)

    Pre-shared Key

    Enter

  5. Go to VPN > IPsec Tunnels.
  6. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
  7. Set the following:
  8. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 2’s wan2 IP

    Local Interface

    wan2 (the secondary Internet-facing interface)

    Pre-shared Key

    Enter

Configuring IP addresses and OSPF on FortiGate 1

  1. Go to Network > Interfaces.
  2. Select the arrow for wan1 to expand the list.
  3. Edit the primary tunnel interface and create IP addresses.
  4. IP

    10.1.1.1

    Remote IP

    10.1.1.2

  5. Select the arrow for wan2 to expand the list.
  6. Edit the secondary tunnel interface and create IP addresses.
  7. IP

    10.2.1.1

    Remote IP

    10.2.1.2

  8. Go to Network > OSPF and enter the Router ID for FortiGate 1.
  9. Select Create New in the Area section.
  10. Add the backbone area of 0.0.0.0.
  11. Select Create New in the Networks section.
  12. Create the networks and select Area 0.0.0.0 for each one.
  13. Select Create New in the Interfaces section.
  14. Create primary and secondary tunnel interfaces.
  15. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 1

  1. Go to Policy & Objects > Addresses.
  2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
  3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy.
  2. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.

Creating redundant IPsec tunnels on FortiGate 2

  1. Go to VPN > IPsec Tunnels.
  2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).
  3. Set the following:
  4. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 1’s wan1 IP

    Local Interface

    wan1 (the primary Internet-facing interface)

    Pre-shared Key

    Enter

  5. Go to VPN > IPsec Tunnels.
  6. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
  7. Set the following:
  8. Remote Gateway

    Static IP Address

    IP Address

    FortiGate 1’s wan1 IP

    Local Interface

    wan2 (the secondary Internet-facing interface)

    Pre-shared Key

    Enter

Configuring IP addresses and OSPF on FortiGate 1

  1. Go to Network > Interfaces.
  2. Select the arrow for wan1 to expand the list.
  3. Edit the primary tunnel interface and create IP addresses.
  4. IP

    10.1.1.2

    Remote IP

    10.1.1.1

  5. Select the arrow for wan2 to expand the list.
  6. Edit the secondary tunnel interface and create IP addresses.
  7. IP

    10.2.1.2

    Remote IP

    10.2.1.1

  8. Go to Network > OSPF and enter the Router ID for FortiGate 2.
  9. Select Create New in the Area section.
  10. Add the backbone area of 0.0.0.0.
  11. Select Create New in the Networks section.
  12. Create the networks and select Area 0.0.0.0 for each one.
  13. Select Create New in the Interfaces section.
  14. Create primary and secondary tunnel interfaces.
  15. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 2

  1. Go to Policy & Objects > Addresses.
  2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
  3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy.
  2. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.

Results

  1. Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.
  2. Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select Apply Filter to verify the OSPF route.
  3. Verify that traffic flows via the primary tunnel:
    • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vice versa.
    • From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.
    • From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
  4. The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.
  5. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.
  6. Go to Monitor > IPsec Monitor to verify the status.
  7. Verify the routing table on FortiGate 1 and FortiGate 2.
    The secondary OSPF route (with cost = 100) appears on both FortiGate units.
  8. Go to Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
  9. Verify that traffic flows via the secondary tunnel:
  • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind FortiGate 2 and vice versa.
  • From PC1, you should see that the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.
  • From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.