Fortinet black logo

Cookbook

Adding addresses to the tunnel interfaces

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:115120
Download PDF

Adding addresses to the tunnel interfaces

The BGP configuration requires IP addresses assigned to the IPsec VPN tunnel interfaces that BGP peers over. The ADVPN feature enabled by set auto-discovery-sender enable allows FortiOS to establish a point-to-multipoint connection to each FortiGate.

The IPsec VPN tunnel interface ip is set to the IP address that the tunnels will connect to, and remote-ip is set to the highest unused IP address that is part of your tunnel network. This adds two host-based routes to the FortiGate’s routing table that point directly back to the branch FortiGate.

The IPsec VPN interface configuration includes:
  • Setting the ip to <vpn interface ip> 255.255.255.255
  • Setting type to tunnel
  • Setting remote-ip to the highest unused IP address in the VPN subnet
  • Setting allowaccess to ping to allow for confirmation that a point-to-point tunnel has been established between the data center FortiGate and the branch FortiGate.

config system interface

edit "vpn-br1-1"

set vdom "root"

set ip 10.254.0.1 255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.0.254/24

set interface "port1"

next

edit "vpn-br1-2"

set vdom

"root"

set ip 10.254.1.1. 255.255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.1.254/24

set interface "port2"

end

Adding addresses to the tunnel interfaces

The BGP configuration requires IP addresses assigned to the IPsec VPN tunnel interfaces that BGP peers over. The ADVPN feature enabled by set auto-discovery-sender enable allows FortiOS to establish a point-to-multipoint connection to each FortiGate.

The IPsec VPN tunnel interface ip is set to the IP address that the tunnels will connect to, and remote-ip is set to the highest unused IP address that is part of your tunnel network. This adds two host-based routes to the FortiGate’s routing table that point directly back to the branch FortiGate.

The IPsec VPN interface configuration includes:
  • Setting the ip to <vpn interface ip> 255.255.255.255
  • Setting type to tunnel
  • Setting remote-ip to the highest unused IP address in the VPN subnet
  • Setting allowaccess to ping to allow for confirmation that a point-to-point tunnel has been established between the data center FortiGate and the branch FortiGate.

config system interface

edit "vpn-br1-1"

set vdom "root"

set ip 10.254.0.1 255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.0.254/24

set interface "port1"

next

edit "vpn-br1-2"

set vdom

"root"

set ip 10.254.1.1. 255.255.255.255.255

set allowaccess ping

set type tunnel

set remote-ip 10.254.1.254/24

set interface "port2"

end