Redundant OSPF routing over IPsec
This example sets up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection. In this example, the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be called FortiGate 2.
The steps include:
1. Creating redundant IPsec tunnels on FortiGate 1.
2. Configuring IP addresses and OSPF on FortiGate 1.
3. Configuring firewall addresses on FortiGate 1.
4. Configuring security policies on FortiGate 1.
5. Creating redundant IPsec tunnels for FortiGate 2.
6. Configuring IP addresses and OSPF on FortiGate 2.
7. Configuring firewall addresses on FortiGate 2.
8. Configuring security policies on FortiGate 2.
Creating redundant IPsec tunnels on FortiGate 1
1. Go to VPN > IPsec Tunnels.
2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).
3. Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 2’s wan1 IP
Local Interface wan1 (the primary Internet-facing interface)
Pre–shared Key Enter
4. Go to VPN > IPsec Tunnels.
5. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
6. Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 2’s wan1 IP
Local Interface wan2 (the secondary Internet-facing interface)
Pre–shared Key Enter
Configuring IP addresses and OSPF on FortiGate 1
1. Go to Network > Interfaces.
2. Select the arrow for wan1 to expand the list.
3. Edit the primary tunnel interface and create IP addresses.
IP 10.1.1.1
Remote IP 10.1.1.2
4. Select the arrow for wan2 to expand the list.
5. Edit the secondary tunnel interface and create IP addresses.
IP 10.2.1.1
Remote IP 10.2.1.2
6. Go to Network > OSPF and enter the Router ID for FortiGate 1.
7. Select Create New in the Area section.
8. Add the backbone area of 0.0.0.0.
9. Select Create New in the Networks section.
10. Create the networks and select Area 0.0.0.0 for each one.
11. Select Create New in the Interfaces section.
12. Create primary and secondary tunnel interfaces.
13. Set a Cost of 10 for the primary interface and 100 for the secondary interface.
Configuring firewall addresses on FortiGate 1
1. Go to Policy & Objects > Addresses.
2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
3. Create/Edit the primary and secondary interfaces of FortiGate 2.
Configuring security policies on FortiGate 1
1. Go to Policy & Objects > IPv4 Policy.
2. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.
Creating redundant IPsec tunnels on FortiGate 2
1. Go to VPN > IPsec Tunnels.
2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template).
3. Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 1’s wan1 IP
Local Interface wan1 (the primary Internet-facing interface)
Pre–shared Key Enter
Redundant OSPF routing over IPsec
4. Go to VPN > IPsec Tunnels.
5. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
6. Set the following:
Remote Gateway Static IP Address
IP Address FortiGate 1’s wan1 IP
Local Interface wan2 (the secondary Internet-facing interface)
Pre–shared Key Enter
Configuring IP addresses and OSPF on FortiGate 1
1. Go to Network > Interfaces.
2. Select the arrow for wan1 to expand the list.
3. Edit the primary tunnel interface and create IP addresses.
IP 10.1.1.2
Remote IP 10.1.1.1
4. Select the arrow for wan2 to expand the list.
5. Edit the secondary tunnel interface and create IP addresses.
IP 10.2.1.2
Remote IP 10.2.1.1
6. Go to Network > OSPF and enter the Router ID for FortiGate 2.
7. Select Create New in the Area section.
8. Add the backbone area of 0.0.0.0.
9. Select Create New in the Networks section.
10. Create the networks and select Area 0.0.0.0 for each one.
11. Select Create New in the Interfaces section.
12. Create primary and secondary tunnel interfaces.
13. Set a Cost of 10 for the primary interface and 100 for the secondary interface.
Configuring firewall addresses on FortiGate 2
1. Go to Policy & Objects > Addresses.
2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
3. Create/Edit the primary and secondary interfaces of FortiGate 2.
Configuring security policies on FortiGate 2
1. Go to Policy & Objects > IPv4 Policy.
2. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.
Results
1. Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.
2. Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select Apply Filter to verify the OSPF route.
3. Verify that traffic flows via the primary tunnel:
- From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vise versa.
- From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.
- From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
4. The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.
5. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.
6. Go to Monitor > IPsec Monitor to verify the status.
7. Verify the routing table on FortiGate 1 and FortiGate 2.
The secondary OSPF route (with cost = 100) appears on both FortiGate units.
8. Go to Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
9. Verify that traffic flows via the secondary tunnel:
- From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind FortiGate 2 and vice versa.
- From PC1, you should see that the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.
- From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.