OSPF over dynamic IPsec
This example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.
Configuring IPsec on FortiGate 1
1. Go to Dashboard and enter the CLI Console widget
2. Create phase 1:
config vpn ipsec phase1-interface edit “dial-up”
set type dynamic
set interface “wan1” set mode-cfg enable
set proposal 3des-sha1 set add-route disable
set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret
next end
3. Create phase 2:
config vpn ipsec phase2-interface edit “dial-up-p2”
set phase1name “dial-up”
set proposal 3des-sha1 aes128-sha1 next
end
Configuring OSPF on FortiGate 1
1. Go to Dashboard and enter the CLI Console widget.
2. Create OSPF route.
config router ospf
set router-id 172.20.120.22 config area
edit 0.0.0.0 next
end
config network edit 1
set prefix 10.10.101.0 255.255.255.0 next
end
config redistribute “connected” set status enable
end
config redistribute “static” set status enable
end
end
Adding policies on FortiGate 1
1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial–up to port5.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial–up interfaces.
Configuring IPsec on FortiGate 2
1. Go to Dashboard and enter the CLI Console widget
2. Create phase 1:
config vpn ipsec phase1-interface edit “dial-up-client”
set interface “wan1” set mode-cfg enable
set proposal 3des-sha1 set add-route disable
set remote-gw 172.20.120.22 set psksecret
next end
3. Create phase 2:
config vpn ipsec phase2-interface edit “dial-up-client”
set phase1name “dial-up-client”
set proposal 3des-sha1 aes128-sha1 set auto-negotiate enable
next end
Configuring OSPF on FortiGate 2
1. Go to Dashboard and enter the CLI Console widget.
2. Create OSPF route.
config router ospf
set router-id 172.20.120.15 config area
edit 0.0.0.0 next
end
config network edit 1
set prefix 10.10.101.0 255.255.255.0 next
end
config redistribute “connected” set status enable
end
config redistribute “static” set status enable
end
end
Adding policies on FortiGate 2
1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial–up–client to port5.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial–up–client interfaces.
Verifying the tunnel is up
Go to Monitor > IPsec Monitor to verify that the tunnel is Up.
Results
1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
2. From FortiGate 1, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.20.120.25 1 Full / – 00:00:34 10.10.101.1 dial-up_0
3. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
4. From FortiGate 2, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.20.120.22 1 Full / – 00:00:30 10.10.101.2 dial-up_client