OSPF over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.

Configuring IPsec on FortiGate 1

1. Go to Dashboard and enter the CLI Console widget
2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up”

set type dynamic set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret

next

end

3. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-p2”

set phase1name “dial-up” set proposal 3des-sha1 aes128-sha1

next

end

Configuring OSPF on FortiGate 1

1. Go to Dashboard and enter the CLI Console
2. Create OSPF route.

config router ospf set router-id 172.20.120.22

config area

edit 0.0.0.0 next

end config network

edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected”

set status enable

end

config redistribute “static”

set status enable

end

end

Adding policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up to port5.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up

Configuring IPsec on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget
2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up-client” set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set remote-gw 172.20.120.22 set psksecret

next

end

3. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-client” set phase1name “dial-up-client” set proposal 3des-sha1 aes128-sha1 set auto-negotiate enable

next

end

Configuring OSPF on FortiGate 2

1. Go to Dashboard and enter the CLI Console
2. Create OSPF route.

config router ospf set router-id 172.20.120.15 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

Adding policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up-client to port5.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up-client

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
2. From FortiGate 1, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

OSPF process 0:

Neighbor      ID Pri State Dead Time     Address Interface

172.20.120.25 1 Full  /      – 00:00:34 10.10.101.1 dial-up_0

3. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
4. From FortiGate 2, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

OSPF process 0:

Neighbor      ID Pri State Dead Time     Address     Interface

172.20.120.22 1 Full  /      – 00:00:30 10.10.101.2 dial-up_client