Fortinet black logo

Handbook

BGP over dynamic IPsec

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:928530
Download PDF

BGP over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

Configuring IPsec on FortiGate 1

  1. Go to Policy & Objects > Addresses and select create new Address.
  2. Name

    Remote_loop_int

    Type

    Subnet

    Subnet/IP Range

    10.10.10.10

    Interface

    any

  3. Create an Address Group.
  4. Group Name

    VPN_DST

    Show in Address List

    enable

    Members

    Remote_loop_int
    all

  5. Go to Dashboard and enter the CLI Console widget.
  6. Create phase 1:
  7. config vpn ipsec phase1-interface

    edit Dialup

    set type dynamic

    set interface wan1

    set mode aggressive

    set peertype one

    set mode-cfg enable

    set proposal 3des-sha1 aes128-sha1

    set peerid dial

    set assign-ip disable

    set psksecret

    next

    end

  8. Create phase 2:
  9. config vpn ipsec phase2-interface

    edit dial_p2

    set phase1name Dialup

    set proposal 3des-sha1 aes128-sha1

    set src-addr-type name

    set dst-addr-type name

    set src-name all

    set dst-name VPN_DST

    next

    end

Configuring BGP on FortiGate 1

  1. Go to Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 20.20.20.20/255.255.255.255.
  3. Go to Dashboard and enter the CLI Console widget.
  4. Create a BGP route.
  5. config router bgp

    set as 100

    set router-id 1.1.1.1

    config neighbor

    edit 10.10.10.10

    set ebgp-enforce-multihop enable

    set remote-as 200

    set update-source loop

    next

    end

    config redistribute connected

    set status enable

    end

    end

Adding policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Configuring IPsec on FortiGate 2

  1. Go to Dashboard and enter the CLI Console widget.
  2. Create phase 1:
  3. config vpn ipsec phase1-interface

    edit Dialup

    set interface wan1

    set mode aggressive

    set mode-cfg enable

    set proposal 3des-sha1 aes128-sha1

    set localid dial

    set remote-gw 172.20.120.22

    set assign-ip disable

    set psksecret

    next

    end

  4. Create phase 2:
  5. config vpn ipsec phase2-interface

    edit dial_p2

    set phase1name Dialup

    set proposal 3des-sha1 aes128-sha1

    set keepalive enable

    next

    end

Configuring BGP on FortiGate 2

  1. Go to Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 10.10.10.10/255.255.255.255.
  3. Go to Dashboard and enter the CLI Console widget.
  4. Create a BGP route.
  5. config router bgp

    set as 200

    set router-id 1.1.1.2

    config neighbor

    edit 20.20.20.20

    set ebgp-enforce-multihop enable

    set remote-as 100

    set update-source loop

    next

    end

    config redistribute connected

    set status enable

    end

    end

Adding policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Adding a static route on FortiGate 2

Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask

20.20.20.20/255.255.255.255

Device

Dialup

Administrative Distance

10

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
  2. From FortiGate 1, go to Dashboard.
  3. Enter the CLI Console widget and type this command to verify BGP neighbors:
  4. get router info bgp summary

  5. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
  6. From FortiGate 2, go to Dashboard.
  7. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

BGP over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

Configuring IPsec on FortiGate 1

  1. Go to Policy & Objects > Addresses and select create new Address.
  2. Name

    Remote_loop_int

    Type

    Subnet

    Subnet/IP Range

    10.10.10.10

    Interface

    any

  3. Create an Address Group.
  4. Group Name

    VPN_DST

    Show in Address List

    enable

    Members

    Remote_loop_int
    all

  5. Go to Dashboard and enter the CLI Console widget.
  6. Create phase 1:
  7. config vpn ipsec phase1-interface

    edit Dialup

    set type dynamic

    set interface wan1

    set mode aggressive

    set peertype one

    set mode-cfg enable

    set proposal 3des-sha1 aes128-sha1

    set peerid dial

    set assign-ip disable

    set psksecret

    next

    end

  8. Create phase 2:
  9. config vpn ipsec phase2-interface

    edit dial_p2

    set phase1name Dialup

    set proposal 3des-sha1 aes128-sha1

    set src-addr-type name

    set dst-addr-type name

    set src-name all

    set dst-name VPN_DST

    next

    end

Configuring BGP on FortiGate 1

  1. Go to Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 20.20.20.20/255.255.255.255.
  3. Go to Dashboard and enter the CLI Console widget.
  4. Create a BGP route.
  5. config router bgp

    set as 100

    set router-id 1.1.1.1

    config neighbor

    edit 10.10.10.10

    set ebgp-enforce-multihop enable

    set remote-as 200

    set update-source loop

    next

    end

    config redistribute connected

    set status enable

    end

    end

Adding policies on FortiGate 1

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Configuring IPsec on FortiGate 2

  1. Go to Dashboard and enter the CLI Console widget.
  2. Create phase 1:
  3. config vpn ipsec phase1-interface

    edit Dialup

    set interface wan1

    set mode aggressive

    set mode-cfg enable

    set proposal 3des-sha1 aes128-sha1

    set localid dial

    set remote-gw 172.20.120.22

    set assign-ip disable

    set psksecret

    next

    end

  4. Create phase 2:
  5. config vpn ipsec phase2-interface

    edit dial_p2

    set phase1name Dialup

    set proposal 3des-sha1 aes128-sha1

    set keepalive enable

    next

    end

Configuring BGP on FortiGate 2

  1. Go to Network > Interfaces and create a Loopback interface.
  2. Set IP/Network Mask to 10.10.10.10/255.255.255.255.
  3. Go to Dashboard and enter the CLI Console widget.
  4. Create a BGP route.
  5. config router bgp

    set as 200

    set router-id 1.1.1.2

    config neighbor

    edit 20.20.20.20

    set ebgp-enforce-multihop enable

    set remote-as 100

    set update-source loop

    next

    end

    config redistribute connected

    set status enable

    end

    end

Adding policies on FortiGate 2

  1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
  2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Adding a static route on FortiGate 2

Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask

20.20.20.20/255.255.255.255

Device

Dialup

Administrative Distance

10

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

  1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
  2. From FortiGate 1, go to Dashboard.
  3. Enter the CLI Console widget and type this command to verify BGP neighbors:
  4. get router info bgp summary

  5. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
  6. From FortiGate 2, go to Dashboard.
  7. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary