Adding addresses to the tunnel interfaces
The BGP configuration requires IP addresses assigned to the IPsec VPN tunnel interfaces that BGP peers over. The ADVPN feature enabled by set auto-discovery-sender enable allows FortiOS to establish a point-to-multipoint connection to each FortiGate.
The IPsec VPN tunnel interface ip
is set to the IP address that the tunnels will connect to, and remote-ip
is set to the highest unused IP address that is part of your tunnel network. This adds two host-based routes to the FortiGate’s routing table that point directly back to the branch FortiGate.
The IPsec VPN interface configuration includes:
- Setting the
ip
to<vpn interface ip> 255.255.255.255
- Setting
type
totunnel
- Setting
remote-ip
to the highest unused IP address in the VPN subnet - Setting
allowaccess
toping
to allow for confirmation that a point-to-point tunnel has been established between the data center FortiGate and the branch FortiGate.
config system interface
edit "vpn-br1-1"
set vdom "root"
set ip 10.254.0.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.254.0.254/24
set interface "port1"
next
edit "vpn-br1-2"
set vdom
"root"
set ip 10.254.1.1. 255.255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.254.1.254/24
set interface "port2"
end