fortigate-ipsec-40-mr3

FortiOS Handbook
Protecting OSPF with IPsec
Overview
For enhanced security, OSPF dynamic routing can be carried over IPsec VPN links.
The following topics are included in this section:
Overview
OSPF over IPsec configuration
Creating a redundant configuration
This chapter shows an example of OSPF routing conducted over an IPsec tunnel
between two FortiGate units. The network shown in Figure 35 is a single OSPF area.
FortiGate_1 is an Area border router that advertises a static route to 10.22.10.0/24 in
OSPF. FortiGate_2 advertises its local LAN as an OSPF internal route.
Figure 35: OSPF over an IPsec VPN tunnel
Local LAN
10.21.101.0/24
10.22.10.0/24
FortiGate_1
Port 1
Port 2
172.20.120.141
Port t 22
192.168.0.131 311
FortiGate_2 oort rtiG iGat ate_ e_2
Port3 Port3
10.1.1.1 VPN tunnel
“tunnel_wan1”
OSPF cost 10
10.1.1.2
10.1.2.1 VPN tunnel
“tunnel_wan2”
OSPF cost 200
10.1.2.2
Local LAN
10.31.101.0/24
The section “OSPF over IPsec configuration” describes the configuration with only one
IPsec VPN tunnel, tunnel_wan1. Then, the section “Creating a redundant configuration”
on page 227 describes how you can add a second tunnel to provide a redundant backup
path. This is shown in Figure 35 as VPN tunnel “tunnel_wan2”.
Only the parts of the configuration concerned with creating the IPsec tunnel and
integrating it into the OSPF network are described. It is assumed that security policies are
already in place to allow traffic to flow between the interfaces on each FortiGate unit.
FortiOS Handbook v3: IPsec VPNs
01-434-112804-20120111 221
http://docs.fortinet.com/
PPPPPPPPo PPort Port 11