Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎08-29-2020 03:43 AM

Article Id 193209

Technical Tip: Setting up 2 OSPF neighbors on Single dial-up IPsec tunnel

Description
This article describes how to establish 2 OSPF neighbor on single IPsec dial-up tunnel.

Scope
For version 6.2.5.

Solution
Diagram.





Configuration.

FortiGate dial-up server.

IPsec Configuraton.
# config vpn ipsec phase1-interface
    edit "tunnel netdev"
        set type dynamic
        set interface "port1"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set auto-discovery-receiver enable
        set auto-discovery-forwarder enable
        set psksecret ENC 0S4yt76mhwUoRqNHybMB129Cur3TcH4XGXZfgXUW9WGkRkZoChYn+rToYo+4saEFRBpbn9YjpqFq2ngL4HvdcPUma8S+n/Fv47clMcWdhPDQjd2R5uP5nuyyA8bQd9XxMa4/HjaRQvDMlVm+04qVnyX056QZ/hR4rC2tmnkcx+Pe5iWDFQUc1J5HWQrdrAK9NR6i/g==
        set dpd-retryinterval 60
    next
end

# config vpn ipsec phase2-interface
    edit "tunnel netdev"
        set phase1name "tunnel netdev"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

# config system interface
    edit "tunnel netdev"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping https http
        set type tunnel
        set remote-ip 1.1.2.1 255.255.255.0
        set snmp-index 12
        set interface "port1"
    Next
End
Firewall policy.
# config firewall policy
    edit 2
        set name "firewall 2"
        set uuid adb63976-e916-51ea-0712-bf025b038caa
        set srcintf "port2"
        set dstintf "tunnel netdev"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Copy of firewall1)"
    next
    edit 1
        set name "firewall1"
        set uuid a875bb08-e916-51ea-7641-255f83075c3d
        set srcintf "tunnel netdev"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end
OSPF configuration on FortiGate dial-up server.
# config router ospf
    set router-id 1.1.1.1
    # config area
        edit 0.0.0.0
        next
    end
    # config ospf-interface
        edit "tunnel1"
            set interface "tunnel netdev"
            set network-type point-to-point
        next
    end
    # config network
        edit 1
            set prefix 1.1.1.1 255.255.255.255
        next
        edit 2
            set prefix 1.1.2.1 255.255.255.255
        next
        edit 3
            set prefix 30.30.30.0 255.255.255.0
        next
        edit 4
            set prefix 1.1.2.2 255.255.255.255
            next
    end
    # config redistribute "connected"
    end
    # config redistribute "static"
    end
    # config redistribute "rip"
    end
    # config redistribute "bgp"
    end
    # config redistribute "isis"
    end
end
FortiGate dial-up client-1.

IPsec configuration.
# config vpn ipsec phase1-interface
    edit "tunnel netdev"
        set interface "port1"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set auto-discovery-sender enable
        set auto-discovery-receiver enable
        set auto-discovery-forwarder enable
        set remote-gw 192.168.175.156
        set psksecret ENC aSZ+/ERBdQ6urLam6kH69xnKjPufcaP/f7c0Hcrdx2kb9j02Ox6gftQsHirvsN0OnQsw+rl1aR/zxriPCjH315zgW4JPJSR4RjMTrMeIIOlyYZBUHpXjuJF8wdov+9iY5FbWfubwsPB8DpOF3kKYOkKXJRelCICfKXNaQjoclYk9HMCNlglFlYO9KtgANqwdvpyvVQ==
    next
end

# config vpn ipsec phase2-interface
    edit "tunnel netdev"
        set phase1name "tunnel netdev"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

# config system interface
    edit "tunnel netdev"
        set vdom "root"
        set ip 1.1.2.1 255.255.255.255
        set allowaccess ping https ssh http
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end
Firewall policy.
# config firewall policy
    edit 1
        set name "firewall1"
        set uuid c65e873a-e916-51ea-8779-74634acc8726
        set srcintf "port2"
        set dstintf "tunnel netdev"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "firewall 2"
        set uuid d49ab134-e916-51ea-73a0-6c544c6a7779
        set srcintf "tunnel netdev"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        next
end
OSPF configuration on FortiGate dial-up client-1.
# config router ospf
    set router-id 1.1.2.1
    config area
        edit 0.0.0.0
        next
    end
    # config ospf-interface
        edit "tunnel1"
            set interface "tunnel netdev"
            set network-type point-to-point
        next
    end
    # config network
        edit 1
            set prefix 1.1.1.1 255.255.255.255
        next
        edit 2
            set prefix 1.1.2.1 255.255.255.255
        next
        edit 3
            set prefix 40.40.40.0 255.255.255.0
        next
    end
    # config redistribute "connected"
    end
    # config redistribute "static"
    end
    # config redistribute "rip"
    end
    # config redistribute "bgp"
    end
    # config redistribute "isis"
    end
end
FortiGate dial-up client–2.

IPsec configuration.
# config vpn ipsec phase1-interface
    edit "tunnel netdev"
        set interface "port1"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set auto-discovery-sender enable
        set auto-discovery-receiver enable
        set auto-discovery-forwarder enable
        set remote-gw 192.168.175.156
        set psksecret ENC Wkb5Fvzp301Wr4ZUrR/V5QkeX/IGoEDBqbiQFPtxZgJ/qecI3PfCRXeUlaj1CREZIbBMqhyA9AKZN7o/peNpp+JdJ+7siUiJ/2kjZyarhlSjl+YSAhNoDV4LeRzfa6gfr20uMNr4MDWRQxjAbfE0M0WJZc0/w4/b70uiCDzEskl7amf6vVSLDhNLkoAzdg4gDt8tUg==
    next
end

# config vpn ipsec phase2-interface
    edit "tunnel netdev"
        set phase1name "tunnel netdev"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

# config system interface
    edit "tunnel netdev"
        set vdom "root"
        set ip 1.1.2.2 255.255.255.255
        set allowaccess ping https ssh http
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end
Firewall policy.
# config firewall policy
    edit 1
        set name "firewall 1"
        set uuid b7e234ec-e919-51ea-189d-109576fc3610
        set srcintf "port1"
        set dstintf "tunnel netdev"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "firewall 2"
        set uuid c579f360-e919-51ea-3a1c-7e93acd5c09e
        set srcintf "tunnel netdev"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
OSPF configuration on FortiGate dial-up client-2.
# config router ospf
    set router-id 1.1.2.2
    # config area
        edit 0.0.0.0
        next
    end
    # config ospf-interface
        edit "tunnel1"
            set interface "tunnel netdev"
            set network-type point-to-point
        next
    end
    # config network
        edit 1
            set prefix 1.1.1.1 255.255.255.255
        next
        edit 2
            set prefix 1.1.2.2 255.255.255.255
        next
        edit 3
            set prefix 1.1.2.1 255.255.255.255
        next
        edit 4
            set prefix 50.50.50.0 255.255.255.0
        next
    end
    # config redistribute "connected"
    end
    # config redistribute "static"
    end
    # config redistribute "rip"
    end
    # config redistribute "bgp"
    end
    # config redistribute "isis"
    end
end
Troubleshooting.

FortiGate dial-up server.
DIALUP_SERVER # get router info ospf stat
 Routing Process "ospf 0" with ID 1.1.1.1
 Process is not up
 Process bound to VRF default
 Conforms to RFC2328, and RFC1583Compatibility flag is disabled
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Do not support Restarting
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Refresh timer 10 secs
 Number of incomming current DD exchange neighbors 0/5
 Number of outgoing current DD exchange neighbors 0/5
 Number of external LSA 0. Checksum 0x000000
 Number of opaque AS LSA 0. Checksum 0x000000
 Number of non-default external LSA 0
 External LSA database is unlimited.
 Number of LSA originated 1
 Number of LSA received 23
 Number of areas attached to this router: 1
    Area 0.0.0.0 (BACKBONE)
        Number of interfaces in this area is 4(4)
        Number of fully adjacent neighbors in this area is 2
        Area has no authentication
        SPF algorithm last executed 00:10:26.870 ago
        SPF algorithm executed 6 times
        Number of LSA 3. Checksum 0x01cbd0

DIALUP_SERVER # get router info ospf neig
 
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.2.1           1   Full/ -         00:00:30    1.1.2.1         tunnel netdev_0
1.1.2.2           1   Full/ -         00:00:32    1.1.2.2         tunnel netdev_1

DIALUP_SERVER # get router info routing-table ospf
 
Routing table for VRF=0
O       1.1.1.0/24 [110/100] via tunnel netdev, 04:29:40
O       40.40.40.0/24 [110/101] via 1.1.2.1, tunnel netdev_0, 00:12:29
O       50.50.50.0/24 [110/101] via 1.1.2.2, tunnel netdev_1, 04:29:00

DIALUP_SERVER # get router info routing-table all
 
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S*      0.0.0.0/0 [10/0] via 192.168.175.2, port1
O       1.1.1.0/24 [110/100] via tunnel netdev, 00:02:28
C       1.1.1.1/32 is directly connected, tunnel netdev
                   is directly connected, tunnel netdev_0
                   is directly connected, tunnel netdev_1
C       1.1.2.0/24 is directly connected, tunnel netdev
C       1.1.2.1/32 is directly connected, tunnel netdev_0
C       1.1.2.2/32 is directly connected, tunnel netdev_1
C       30.30.30.0/24 is directly connected, port2
O       40.40.40.0/24 [110/101] via 1.1.2.1, tunnel netdev_0, 00:02:03
O       50.50.50.0/24 [110/101] via 1.1.2.2, tunnel netdev_1, 00:02:03
C       192.168.175.0/24 is directly connected, port1
Other command that you can use to troubleshoot OSPF is the ff:
# diag ip router ospf all enable
# diag ip router ospf level info
# diag debug enable
To stop that ospf debugging.
# diag debug disable
# diag ip router ospf all disable
# diag ip router ospf level none
To clear OSPF process.
# execute router clear ospf process

Labels:
2686
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.