FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 198074

Purpose

This article describes the steps to configure FortiGates in an OSPF scenario providing two redundant IPSec tunnels.

It includes the network diagram, requirements, configuration, and routing tables of all FortiGate units.


Scope

  • All FortiGate units.
  • FortiGate or VDOMs running in NAT mode.


Diagram

The following network diagram illustrates this example and how to setup OSPF over IPSec.

rmetzger_100140_ospf_redundancy_ipsec.JPG

rmetzger_100140_ospf_redundancy_ipsec.JPG


Expectations, Requirements

Requirements: 

  • FGT1 will become automatically ASBR as it will advertise its static default route (see marker M1).
  • FGT2 will advertise its local LAN as OSPF internal route (see marker M2).
  • The primary routes must go via the tunnel over wan1, and routes over the backup tunnel only used when the primary is down (see marker M3).

The use of loopback interfaces into this OSPF scenario is a simple rule that eases the OSPF troubleshooting and administration, where we will set the OSPF router ID identically to the loopback interface.

 

 

To control the OSPF routes that are selected in the routing table, the OSPF interface cost will be used (see marker M3 in the configuration).


Configuration

Notes
  • Only the relevant parts of the configuration are given.
  • The interface naming can differ from between FortiGate; therefore aliases have been used to conform to the diagram (see marker M4 in the configuration).
  • An IPSec virtual interface can stay unnumbered. In this case, as we need to enable OSPF on those interfaces, they have been given an IP address that is used for the OSPF prefix list.
  • In those configurations, we had to create an OSPF interface for the IPSec interface to access to additional parameters than the default ones. Here we increased the cost to 200 for the secondary tunnel.

 

 

 

  • FGT1

 

config system interface

 

 

    edit "internal"

 

 

        set vdom "root"

 

 

        set ip 192.168.182.151 255.255.254.0

 

 

        set allowaccess ping https ssh http telnet

 

 

        set type physical

 

 

        set alias "wan1"    ß M4

 

 

    next

 

 

    edit "port1"

 

 

        set vdom "root"

 

 

        set ip 10.141.0.151 255.255.254.0

 

 

        set allowaccess ping https ssh http telnet

 

 

        set type physical

 

 

        set alias "wan2"    ß M4

 

 

    next

 

 

    edit "port8"

 

 

        set vdom "root"

 

 

        set ip 10.142.0.151 255.255.254.0

 

 

        set allowaccess ping https ssh http telnet

 

 

        set type physical

 

 

        set alias "local_lan"     ß M4

 

 

    next

 

 

    edit "lback1"

 

 

        set vdom "root"

 

 

        set ip 10.0.0.1 255.255.255.255

 

 

        set type loopback

 

 

    next

 

 

    edit "tunnel_wan1"

 

 

        set vdom "root"

 

 

        set ip 10.1.1.1 255.255.255.255

 

 

        set type tunnel

 

 

        set remote-ip 10.1.1.2

 

 

        set interface "internal"

 

 

    next

 

 

    edit "tunnel_wan2"

 

 

        set vdom "root"

 

 

        set ip 10.1.1.3 255.255.255.255

 

 

        set type tunnel

 

 

        set remote-ip 10.1.1.4

 

 

        set interface "port1"

 

 

    next

 

 

end

 

 

 

 

 

config vpn ipsec phase1-interface

 

 

    edit "tunnel_wan1"

 

 

        set interface "internal"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

        set remote-gw 192.168.182.152

 

 

        set psksecret ENC …

 

 

    next

 

 

    edit "tunnel_wan2"

 

 

        set interface "port1"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

        set remote-gw 10.141.0.152

 

 

        set psksecret ENC …

 

 

    next

 

 

end

 

 

config vpn ipsec phase2-interface

 

 

    edit "tunnel1_wan1"

 

 

        set phase1name "tunnel_wan1"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

    next

 

 

    edit "tunnel2_wan2"

 

 

        set phase1name "tunnel_wan2"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

    next

 

 

end

 

 

 

 

 

config router static

 

 

    edit 1

 

 

        set device "internal"

 

 

        set gateway 192.168.183.254

 

 

    next

 

 

    edit 2

 

 

        set device "port1"

 

 

        set distance 20

 

 

        set gateway 10.141.0.254

 

 

    next

 

 

end

 

 

 

 

 

config router ospf

 

 

        config area

 

 

            edit 0.0.0.0

 

 

            next

 

 

        end

 

 

    set default-information-originate enable

 

 

       config network

 

 

            edit 4

 

 

                set prefix 10.1.1.0 255.255.255.0

 

 

            next

 

 

            edit 2

 

 

                set prefix 10.0.0.1 255.255.255.255

 

 

            next

 

 

        end

 

 

        config ospf-interface

 

 

            edit "tunnel_wan2"

 

 

                set cost 200             ß M3

 

 

                set interface "tunnel_wan2"

 

 

                set network-type point-to-point

 

 

            next

 

 

            edit "tunnel_wan1"

 

 

                set cost 10             ß M3

 

 

                set interface "tunnel_wan1"

 

 

                set network-type point-to-point

 

 

            next

 

 

        end

 

 

        config redistribute "connected"

 

 

        end

 

 

        config redistribute "static"

 

 

            set status enable       ß M1

 

 

        end

 

 

    set router-id 10.0.0.1

 

 

end

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • FGT2

     

 

 

 

config system interface

 

 

    edit "internal"

 

 

        set vdom "root"

 

 

        set ip 192.168.182.152 255.255.254.0

 

 

        set allowaccess ping https ssh http telnet

 

 

        set type physical

 

 

        set alias "wan1"    ß M4

 

 

    next

 

 

    edit "port1"

 

 

        set vdom "root"

 

 

        set ip 10.141.0.152 255.255.254.0

 

 

        set allowaccess ping https ssh http telnet

 

 

        set type physical

 

 

        set alias "wan2"     ß M4

 

 

    next

 

 

    edit "port8"

 

 

        set vdom "root"

 

 

        set ip 10.2.2.1 255.255.255.0

 

 

        set allowaccess ping

 

 

        set type physical

 

 

        set alias "local_lan"    ß M4

 

 

    next

 

 

    edit "lback2"

 

 

        set vdom "root"

 

 

        set ip 10.0.0.2 255.255.255.255

 

 

        set type loopback

 

 

    next

 

 

    edit "tunnel_wan1"

 

 

        set vdom "root"

 

 

        set ip 10.1.1.2 255.255.255.255

 

 

        set type tunnel

 

 

        set remote-ip 10.1.1.1

 

 

        set interface "internal"

 

 

    next

 

 

    edit "tunnel_wan2"

 

 

        set vdom "root"

 

 

        set ip 10.1.1.4 255.255.255.255

 

 

        set type tunnel

 

 

        set remote-ip 10.1.1.3

 

 

        set interface "port1"

 

 

    next

 

 

end

 

 

 

 

 

config vpn ipsec phase1-interface

 

 

    edit "tunnel_wan1"

 

 

        set interface "internal"

 

 

        set dpd enable

 

 

        set nattraversal enable

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

        set remote-gw 192.168.182.151

 

 

        set psksecret ENC …

 

 

    next

 

 

    edit "tunnel_wan2"

 

 

        set interface "port1"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

        set remote-gw 10.141.0.151

 

 

        set psksecret ENC …

 

 

    next

 

 

end

 

 

config vpn ipsec phase2-interface

 

 

    edit "tunnel1_wan1"

 

 

        set pfs enable

 

 

        set phase1name "tunnel_wan1"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

        set replay enable

 

 

    next

 

 

    edit "tunnel2_wan2"

 

 

        set pfs enable

 

 

        set phase1name "tunnel_wan2"

 

 

        set proposal 3des-sha1 aes128-sha1

 

 

        set replay enable

 

 

    next

 

 

end

 

 

 

 

 

config router ospf

 

 

        config area

 

 

            edit 0.0.0.0

 

 

            next

 

 

        end

 

 

        config network

 

 

            edit 1

 

 

                set prefix 10.1.1.0 255.255.255.0

 

 

            next

 

 

            edit 2

 

 

                set prefix 10.2.2.0 255.255.255.0

 

 

            next

 

 

            edit 3

 

 

                set prefix 10.0.0.2 255.255.255.255

 

 

            next

 

 

        end        config ospf-interface

 

 

            edit "tunnel_wan2"

 

 

                set cost 200              ß M3

 

 

                set interface "tunnel_wan2"

 

 

                set network-type point-to-point

 

 

            next

 

 

            edit "tunnel_wan1"

 

 

                set cost 10                ß M3

 

 

                set interface "tunnel_wan1"

 

 

                set network-type point-to-point

 

 

            next

 

 

        end

 

 

    set router-id 10.0.0.2

 

 

end

 

 


Verification

1- OSPF information and routing tables when primary tunnel_wan1 is up.

NOTE: All OSPF routes are seen via tunnel_wan1.

 

  • FGT1

FGT1 # get router info ospf neighbor

OSPF process 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.0.0.2          1   Full/ -         00:00:39    10.1.1.2        tunnel_wan1

10.0.0.2          1   Full/ -         00:00:34    10.1.1.4        tunnel_wan2

 

 

FGT1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

S*      0.0.0.0/0 [10/0] via 192.168.183.254, internal

C       10.0.0.1/32 is directly connected, lback1

O       10.0.0.2/32 [110/110] via 10.1.1.2, tunnel_wan1, 00:06:21

C       10.1.1.1/32 is directly connected, tunnel_wan1

C       10.1.1.2/32 is directly connected, tunnel_wan1

C       10.1.1.3/32 is directly connected, tunnel_wan2

C       10.1.1.4/32 is directly connected, tunnel_wan2

O       10.2.2.0/24 [110/20] via 10.1.1.2, tunnel_wan1, 00:20:10

C       10.141.0.0/23 is directly connected, port1

C       10.142.0.0/23 is directly connected, port8

C       192.168.182.0/23 is directly connected, internal

 

 

  • FGT2

FGT2 # get router info ospf neighbor

 

OSPF process 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.0.0.1          1   Full/ -         00:00:39    10.1.1.1        tunnel_wan1

10.0.0.1          1   Full/ -         00:00:29    10.1.1.3        tunnel_wan2

 

 

FGT2 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

O*E2    0.0.0.0/0 [110/10] via 10.1.1.1, tunnel_wan1, 00:20:52

O       10.0.0.1/32 [110/110] via 10.1.1.1, tunnel_wan1, 00:07:27

C       10.0.0.2/32 is directly connected, lback2

C       10.1.1.1/32 is directly connected, tunnel_wan1

C       10.1.1.2/32 is directly connected, tunnel_wan1

C       10.1.1.3/32 is directly connected, tunnel_wan2

C       10.1.1.4/32 is directly connected, tunnel_wan2

C       10.2.2.0/24 is directly connected, port8

C       10.141.0.0/23 is directly connected, port1

C       192.168.182.0/23 is directly connected, internal

 

2 - OSPF information and routing tables when primary tunnel_wan1 is down.

 

NOTE: All OSPF routes are seen via tunnel_wan2.

 

 

  • FGT1

FGT1 # get router info ospf neighbor

 

OSPF process 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.0.0.2          1   Full/ -         00:00:38    10.1.1.4        tunnel_wan2

 

 

FGT1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

S*      0.0.0.0/0 [20/0] via 10.141.0.254, port1

C       10.0.0.1/32 is directly connected, lback1

O       10.0.0.2/32 [110/300] via 10.1.1.4, tunnel_wan2, 00:01:31

C       10.1.1.3/32 is directly connected, tunnel_wan2

C       10.1.1.4/32 is directly connected, tunnel_wan2

O       10.2.2.0/24 [110/210] via 10.1.1.4, tunnel_wan2, 00:01:31

C       10.141.0.0/23 is directly connected, port1

C       10.142.0.0/23 is directly connected, port8

 

 

  • FGT2

FGT2 # get router info ospf neighbor

 

OSPF process 0:

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.0.0.1          1   Full/ -         00:00:30    10.1.1.3        tunnel_wan2

 

 

FGT2 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

O*E2    0.0.0.0/0 [110/10] via 10.1.1.3, tunnel_wan2, 00:02:11

O       10.0.0.1/32 [110/300] via 10.1.1.3, tunnel_wan2, 00:02:11

C       10.0.0.2/32 is directly connected, lback2

C       10.1.1.3/32 is directly connected, tunnel_wan2

C       10.1.1.4/32 is directly connected, tunnel_wan2

C       10.2.2.0/24 is directly connected, port8

C       10.141.0.0/23 is directly connected, port1

C       192.168.182.0/23 is directly connected, internal


Troubleshooting
Use the OSPF router command:

get router info ospf  <subcommand>


FGT# get router info ospf ?
database          show ospf database information
interface         show ospf interfaces
route             show ospf routing table
neighbor          show ospf neighbors
border-routers    show ospf border routers
status            show ospf status
virtual-links     show ospf virtual links


For advanced troubleshooting, use the command :

FGT# diag ip router ospf all enable (or disable to stop the trace)

Related Articles

Technical Note : OSPF configuration guide for ABR and ASBR settings

Technical Note : simple OSPF configuration with 2 FortiGates in the same area

Technical Tip: How to redistribute a default route in OSPF

Technical Note : OSPF route summarization for LSAs Type3 (on ABR) and Type5 (on ASBR)

Contributors