Configuration overview
This section shows an example of OSPF routing conducted over an IPsec tunnel between two FortiGate units. The network shown below is a single OSPF area. FortiGate_1 is an Area border router that advertises a static route to 10.22.10.0/24 in OSPF. FortiGate_2 advertises its local LAN as an OSPF internal route.
OSPF over an IPsec VPN tunnel
The section Configuration overview describes the configuration with only one IPsec VPN tunnel, tunnel_wan1. Then, the section Configuration overview describes how you can add a second tunnel to provide a redundant backup path. This is shown above as VPN tunnel “tunnel_wan2”.
Only the parts of the configuration concerned with creating the IPsec tunnel and integrating it into the OSPF network are described. It is assumed that security policies are already in place to allow traffic to flow between the interfaces on each FortiGate unit.
OSPF over IPsec configuration
There are several steps to the OSPF-over-IPsec configuration:
- Configure a route-based IPsec VPN on an external interface. It will connect to a corresponding interface on the other FortiGate unit. Define the two tunnel-end addresses.
- Configure a static route to the other FortiGate unit.
- Configure the tunnel network as part of the OSPF network and define the virtual IPsec interface as an OSPF interface.
This section describes the configuration with only one VPN, tunnel_wan1. The other VPN is added in the section Configuration overview.
Configuring the IPsec VPN
A route-based VPN is required. In this chapter, preshared key authentication is shown. Certificate authentication is also possible. Both FortiGate units need this configuration.
Configuring Phase 1
- Define the Phase 1 configuration needed to establish a secure connection with the other FortiGate unit. For more information, see Phase 1 parameters.
Enter these settings in particular:
Name |
Enter a name to identify the VPN tunnel, tunnel_wan1 for example. This becomes the name of the virtual IPsec interface. |
Remote Gateway |
Select Static IP Address. |
IP Address |
Enter the IP address of the other FortiGate unit’s public (Port 2) interface. |
Local Interface |
Select this FortiGate unit’s public (Port 2) interface. |
Mode |
Select Main (ID Protection). |
Authentication Method |
Preshared Key |
Pre-shared Key |
Enter the preshared key. It must match the preshared key on the other FortiGate unit. |
Advanced |
Select Advanced. |
Assigning the tunnel end IP addresses
- Go to Network > Interfaces, select the virtual IPsec interface that you just created on Port 2 and select Edit.
- In the IP and Remote IP fields, enter the following tunnel end addresses:
|
FortiGate_1 |
FortiGate_2 |
---|---|---|
IP |
10.1.1.1 |
10.1.1.2 |
Remote_IP |
10.1.1.2 |
10.1.1.1 |
These addresses are from a network that is not used for anything else.
Configuring Phase 2
- Enter a name to identify this Phase 2 configuration, twan1_p2, for example.
- Select the name of the Phase 1 configuration that you defined in Step Configuration overview, tunnel_wan1 for example.
Configuring static routing
You need to define the route for traffic leaving the external interface.
- Go to Network > Static Routes, select Create New.
- Enter the following information.
Destination IP/Mask |
Leave as 0.0.0.0 0.0.0.0. |
Device |
Select the external interface. |
Gateway |
Enter the IP address of the next hop router. |
Configuring OSPF
This section does not attempt to explain OSPF router configuration. It focusses on the integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.
This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF router ID is set to the loopback interface address.The loopback interface ensures the router is always up. Even though technically the router ID doesn’t have to match a valid IP address on the FortiGate unit, having an IP that matches the router ID makes troubleshooting a lot easier.
The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border router that advertises its static default route. FortiGate_2 advertises its local LAN as an OSPF internal route.
Setting the router ID for each FortiGate unit to the lowest possible value is useful if you want the FortiGate units to be the designated router (DR) for their respective ASes. This is the router that broadcasts the updates for the AS.
Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes will be advertised, and it will not be limited to any specific subnet. For example if this IP address was 10.1.0.0, then only routes that match that subnet will be advertised through this interface in OSPF.
FortiGate_1 OSPF configuration
When configuring FortiGate_1 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.
With the exception of creating the loopback interface, OSPF for this example can all be configured in either the GUI or CLI.
Creating the loopback interface
A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.1, you would enter:
config system interface
edit lback1
set vdom root
set ip 10.0.0.1 255.255.255.255
set type loopback
end
The loopback addresses and corresponding router IDs on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.
Configuring OSPF area, networks, and interfaces - GUI
- On FortiGate_1, go to Network > OSPF.
- Enter the following information to define the router, area, and interface information.
- For Networks, select Create New.
- Enter the IP/Netmask of
10.1.1.0/255.255.255.0
and an Area of0.0.0.0
. - For Networks, select Create New.
- Enter the IP/Netmask of
10.0.0.1/255.255.255.0
and an Area of0.0.0.0
. - Select Apply.
Router ID |
Enter |
Advanced Options |
|
---|---|
Redistribute |
Select the Connected and Static check boxes. Use their default metric values. |
Areas |
Select Create New, enter the Area and Type and then select OK. |
Area |
0.0.0.0 |
Type |
Regular |
Interfaces |
Enter a name for the OSPF interface, ospf_wan1 for example. |
Name |
|
Interface |
Select the virtual IPsec interface, tunnel_wan1. |
IP |
0.0.0.0 |
Configuring OSPF area and interfaces - CLI
Your loopback interface is 10.0.0.1, your tunnel ends are on the 10.1.1.0/24 network, and your virtual IPsec interface is named tunnel_wan1
. Enter the following CLI commands:
config router ospf
set router-id 10.0.0.1
config area
edit 0.0.0.0
end
config network
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.0.0.1 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set cost 10
set interface tunnel_wan1
set network-type point-to-point
end
config redistribute connected
set status enable
end
config redistribute static
set status enable
end
end
FortiGate_2 OSPF configuration
When configuring FortiGate_2 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.
Configuring FortiGate_2 differs from FortiGate_1 in that three interfaces are defined instead of two. The third interface is the local LAN that will be advertised into OSPF.
With the exception of creating the loopback interface, OSPF for this example can all be configured in either the GUI or CLI.
Creating the loopback interface
A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.2, you would enter:
config system interface
edit lback1
set vdom root
set ip 10.0.0.2 255.255.255.255
set type loopback
end
The loopback addresses on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.
Configuring OSPF area and interfaces - GUI
- On FortiGate_2, go to Network > OSPF.
- Complete the following.
- For Networks, select Create New.
- Enter the following information for the loopback interface:
- For Networks, select Create New.
- Enter the following information for the tunnel interface:
- For Networks, select Create New.
- Enter the following information for the local LAN interface:
- Select Apply.
Router ID |
10.0.0.2 |
Areas |
Select Create New, enter the Area and Type and then select OK. |
Area |
|
Type |
Regular |
Interfaces |
|
Name |
Enter a name for the OSPF interface, ospf_wan1 for example. |
Interface |
Select the virtual IPsec interface, tunnel_wan1. |
IP |
|
IP/Netmask | 10.0.0.2/255.255.255.255
|
Area | 0.0.0.0
|
IP/Netmask |
10.1.1.0 |
Area |
|
IP/Netmask |
10.31.101.0 |
Area |
|
Configuring OSPF area and interfaces - CLI
If for example, your loopback interface is 10.0.0.2, your tunnel ends are on the 10.1.1.0/24 network, your local LAN is 10.31.101.0/24, and your virtual IPsec interface is named tunnel_wan1, you would enter:
config router ospf
set router-id 10.0.0.2
config area
edit 0.0.0.0
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.31.101.0 255.255.255.0
next
edit 2
set prefix 10.0.0.2 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set interface tunnel_wan1
set network-type point-to-point
end
end
Creating a redundant configuration
You can improve the reliability of the OSPF over IPsec configuration described in the previous section by adding a second IPsec tunnel to use if the default one goes down. Redundancy in this case is not controlled by the IPsec VPN configuration but by the OSPF routing protocol.
To do this you:
- Create a second route-based IPsec tunnel on a different interface and define tunnel end addresses for it.
- Add the tunnel network as part of the OSPF network and define the virtual IPsec interface as an additional OSPF interface.
- Set the OSPF cost for the added OSPF interface to be significantly higher than the cost of the default route.
Adding the second IPsec tunnel
The configuration is the same as in Configuring the IPsec VPN, but the interface and addresses will be different. Ideally, the network interface you use is connected to a different Internet service provider for added redundancy.
When adding the second tunnel to the OSPF network, choose another unused subnet for the tunnel ends, 10.1.2.1 and 10.1.2.2 for example.
Adding the OSPF interface
OSPF uses the metric called cost when determining the best route, with lower costs being preferred. Up to now in this example, only the default cost of 10 has been used. Cost can be set only in the CLI.
The new IPsec tunnel will have its OSPF cost set higher than that of the default tunnel to ensure that it is only used if the first tunnel goes down. The new tunnel could be set to a cost of 200 compared to the default cost is 10. Such a large difference in cost will ensure this new tunnel will only be used as a last resort.
If the new tunnel is called tunnel_wan2, you would enter the following on both FortiGate units:
config router ospf
config ospf-interface
edit ospf_wan2
set cost 200
set interface tunnel_wan2
set network-type point-to-point
end
end