BGP over dynamic IPsec
The following example shows how to create a dynamic IPsec VPN tunnel that allows BGP.
Configuring IPsec on FortiGate 1
- Go to Policy & Objects > Addresses and select create new Address.
- Create an Address Group.
- Go to Dashboard and enter the CLI Console widget.
- Create phase 1:
- Create phase 2:
Name |
Remote_loop_int |
Type |
Subnet |
Subnet/IP Range |
10.10.10.10 |
Interface |
any |
Group Name |
VPN_DST |
Show in Address List |
enable |
Members |
Remote_loop_int |
config vpn ipsec phase1-interface
edit Dialup
set type dynamic
set interface wan1
set mode aggressive
set peertype one
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set peerid dial
set assign-ip disable
set psksecret
next
end
config vpn ipsec phase2-interface
edit dial_p2
set phase1name Dialup
set proposal 3des-sha1 aes128-sha1
set src-addr-type name
set dst-addr-type name
set src-name all
set dst-name VPN_DST
next
end
Configuring BGP on FortiGate 1
- Go to Network > Interfaces and create a Loopback interface.
- Set IP/Network Mask to 20.20.20.20/255.255.255.255.
- Go to Dashboard and enter the CLI Console widget.
- Create a BGP route.
config router bgp
set as 100
set router-id 1.1.1.1
config neighbor
edit 10.10.10.10
set ebgp-enforce-multihop enable
set remote-as 200
set update-source loop
next
end
config redistribute connected
set status enable
end
end
Adding policies on FortiGate 1
- Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
- Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.
Configuring IPsec on FortiGate 2
- Go to Dashboard and enter the CLI Console widget.
- Create phase 1:
- Create phase 2:
config vpn ipsec phase1-interface
edit Dialup
set interface wan1
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set localid dial
set remote-gw 172.20.120.22
set assign-ip disable
set psksecret
next
end
config vpn ipsec phase2-interface
edit dial_p2
set phase1name Dialup
set proposal 3des-sha1 aes128-sha1
set keepalive enable
next
end
Configuring BGP on FortiGate 2
- Go to Network > Interfaces and create a Loopback interface.
- Set IP/Network Mask to 10.10.10.10/255.255.255.255.
- Go to Dashboard and enter the CLI Console widget.
- Create a BGP route.
config router bgp
set as 200
set router-id 1.1.1.2
config neighbor
edit 20.20.20.20
set ebgp-enforce-multihop enable
set remote-as 100
set update-source loop
next
end
config redistribute connected
set status enable
end
end
Adding policies on FortiGate 2
- Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces.
- Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.
Adding a static route on FortiGate 2
Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.
Destination IP/Mask |
20.20.20.20/255.255.255.255 |
Device |
Dialup |
Administrative Distance |
10 |
Verifying the tunnel is up
Go to Monitor > IPsec Monitor to verify that the tunnel is Up.
Results
- From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
- From FortiGate 1, go to Dashboard.
- Enter the CLI Console widget and type this command to verify BGP neighbors:
- From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
- From FortiGate 2, go to Dashboard.
- Enter the CLI Console widget and type this command to verify BGP neighbors:
get router info bgp summary
get router info bgp summary