This configuration guide includes information needed to connect a FortiGate firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing. 


Note: This guide was created using  FortiOS version 5.6.0. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each FortiGate platform may have slightly different commands. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.

Variables Needed

You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your FortiGate firewall. Use these variables in the Configuration Script, below.


VariableSourceNotes
<<<VPN NAME 1>>>User-createdLimit to 12 characters
<<<VPN NAME 2>>> User-createdLimit to 12 characters
<<<OUTISDE NETWORK INTERFACE>>>FortiGate ConfigurationThe WAN interface of your firewall.
If there are two, select the one bound to the IP address you will use as your VPN peer address.
<<<INSIDE NETWORK INTERFACE>>>FortiGate ConfigurationThe LAN interface of your firewall.
If you have more than one, duplicate the rule for each inside interface name that needs to communicate with the other connections on the Pureport platform.
<<<NETWORK NUMBER FOR SITE>>> and <<<SUBNET MASK FOR SITE>>>FortiGate ConfigurationThe IP network and subnet mask for your LAN network.
If you have more than one, repeat this command for each network you want to announce via BGP.
dhgrp and proposal (phase 1 and phase 2)Pureport consoleDefaults are used in the example configuration
<<<PUREPORT GATEWAY 1 IP ADDRESS>>>Pureport console
<<<PRESHARED KEY FOR GATEWAY 1>>>Pureport console
<<<PUREPORT GATEWAY 2 IP ADDRESS>>>Pureport console
<<<PRESHARED KEY FOR GATEWAY 2>>>Pureport console
<<<CUSTOMER VTI IP FOR GATEWAY 1>>>Pureport console
<<<PUREPORT VTI IP FOR GATEWAY 1>>>Pureport console
<<<CUSTOMER VTI IP FOR GATEWAY 2>>>Pureport console
<<<PUREPORT VTI IP FOR GATEWAY 2>>>Pureport console
<<<YOUR_BGP_ASN>>>Fortigate Configuration / User-createdIf you do not already have an ASN for BGP peering, we recommend using 65501. Review the "ASN selection"  article for details.



Configuration Script

When using this configuration script, use the variables, as listed in the table above.


config vpn ipsec phase1-interface

edit <<<VPN NAME 1>>>

  set ike-version 2

  set interface <<<OUTISDE NETWORK INTERFACE>>>

  set dpd on-idle

  set dhgrp 14

  set nattraversal disable

  set proposal aes128-sha256

  set keylife 28800

  set remote-gw <<<PUREPORT GATEWAY 1 IP ADDRESS>>>

  set psksecret <<<PRESHARED KEY FOR GATEWAY 1>>>

  set dpd-retryinterval 5

  next

edit <<<VPN NAME 2>>>

  set ike-version 2

  set interface <<<OUTISDE NETWORK INTERFACE>>>

  set dpd on-idle

  set dhgrp 14

  set nattraversal disable

  set proposal aes128-sha256

  set keylife 28800

  set remote-gw <<<PUREPORT GATEWAY 2 IP ADDRESS>>>

  set psksecret <<<PRESHARED KEY FOR GATEWAY 2>>>

  set dpd-retryinterval 5

  next

 end


config vpn ipsec phase2-interface

 edit <<<VPN NAME 1>>>

   set phase1name <<<VPN NAME 1>>>

   set proposal aes128-sha256

   set dhgrp 14

   set keepalive enable

   set keylifeseconds 3600

   next

 edit <<<VPN NAME 2>>>

   set phase1name <<<VPN NAME 2>>>

   set proposal aes128-sha256

   set dhgrp 14

   set keepalive enable

   set keylifeseconds 3600

   next

 end


config system interface

edit <<<VPN NAME 1>>>

  set vdom "root"

  set ip <<<CUSTOMER VTI IP FOR GATEWAY 1>>> 255.255.255.255 

  set allowaccess ping 

  set type tunnel

  set tcp-mss 1350

  set remote-ip <<<PUREPORT VTI IP FOR GATEWAY 1>>>

  set interface <<<OUTISDE NETWORK INTERFACE>>>

  set role lan

  next

edit <<<VPN NAME 2>>>

  set vdom "root"

  set ip <<<CUSTOMER VTI IP FOR GATEWAY 2>>> 255.255.255.255 

  set allowaccess ping 

  set type tunnel

  set tcp-mss 1350

  set remote-ip <<<PUREPORT VTI IP FOR GATEWAY 2>>>

  set interface <<<OUTISDE NETWORK INTERFACE>>>

  set role lan

  next

 end


config router bgp

 set as <<<YOUR_BGP_ASN>>>

 set router-id <<<CUSTOMER GATWAY PUBLIC IP>>>

 set graceful-restart enable

 set ebgp-multipath enable

 config neighbor

  edit <<<PUREPORT VTI IP FOR GATEWAY 1>>>

   set remote-as 394351

   next

  edit <<<PUREPORT VTI IP FOR GATEWAY 2>>>

   set remote-as 394351

   next

 end

config network

 edit 1

  set prefix <<<NETWORK NUMBER FOR SITE>>> <<<SUBNET MASK FOR SITE>>>

 next

end

end


###

### PLEASE NOTE THAT THE FOLLOWING LINES PERMIT ALL TRAFFIC

### TO AND FROM YOUR INSIDE NETWORK AND ANY OTHER NETWORKS

### YOU CONNECT TO THE PUREPORT NETWORK.

###

### IF YOUR INTERNAL SECURITY POLICY REQUIRES MORE STRICT 

### CONTROLS ON TRAFFIC YOU WILL NEED TO MODIFY THIS POLICY 

### TO APPROPRIATELY LIMIT ACCESS.

###


config firewall policy

edit 0

  set srcintf <<<VPN NAME 1>>>

  set dstintf <<<INSIDE NETWORK INTERFACE>>>

  set srcaddr all

  set dstaddr all

  set action accept

  set schedule always

  set service ALL

  next

 edit 0

  set srcintf <<<INSIDE NETWORK INTERFACE>>>

  set dstintf <<<VPN NAME 1>>>

  set srcaddr all

  set dstaddr all

  set action accept

  set schedule always

  set service ALL

  next

edit 0

  set srcintf <<<VPN NAME 2>>>

  set dstintf <<<INSIDE NETWORK INTERFACE>>>

  set srcaddr all

  set dstaddr all

  set action accept

  set schedule always

  set service ALL

  next

 edit 0

  set srcintf <<<INSIDE NETWORK INTERFACE>>>

  set dstintf <<<VPN NAME 2>>>

  set srcaddr all

  set dstaddr all

  set action accept

  set schedule always

  set service ALL

  next

 end


Troubleshooting

This section contains information on troubleshooting the VPN and BGP configuration and connectivity.

VPN Status

After completing the configuration and adding Firewall policies, the VPN should come up immediately. To view the VPN status:

  • Use the web interface and select Monitor > IPsec Monitor to view the individual tunnel status and restart tunnels, as needed.

    or

  • Use the following CLI command:

    get vpn ipsec tunnel summary


    The console will return output similar to:

    'vpn-PUREPORT-0' xx.xx.xx.xx:0  selectors(total,up): 1/1  rx(pkt,err): 2523031/0  tx(pkt,err): 1154431/8

    'vpn-PUREPORT-1' xx.xx.xx.xx:0  selectors(total,up): 1/1  rx(pkt,err): 807284/0  tx(pkt,err): 299249/8


You can also check the Log & Report section in the Web Interface for VPN Events and filter on the VPN names you used during configuration.


Tunnel Interfaces

To ensure the Tunnel Interfaces are up, ping both the local and Pureport sides of both tunnel interfaces. For example:


To ping Tunnel 1:

execute ping 169.254.1.1

execute ping 169.254.1.2


To ping Tunnel 2:

execute ping 169.254.2.1

execute ping 169.254.2.2


BGP Status

Check the BGP status via the command line using the following command:


get router info bgp summary


The console will return output similar to:

BGP router identifier xx.xx.xx.xx, local AS number 65501

BGP table version is 7

4 BGP AS-PATH entries

0 BGP community entries


Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

169.254.1.2     4     394351     226     260        6    0    0 00:00:21        4

169.254.2.2     4     394351     317     361        5    0    0 00:00:30        4


If the State column indicates idle, connecting, or active, BGP peering has not been established. You should use the web interface and select Log & Report > Router Events to review the firewall logs, looking for entries regarding BGP.


BGP Routes

Check routes being recieved by BGP using the following command:


get router info bgp network





Note: The following entries in the BGP logs are completely normal and simply reflect capabilities supported by the Pureport platform but not supported by FortiGate:

BGP: 169.254.1.2-Outgoing [DECODE] Open Cap: unrecognized capability code 69 len 4

BGP: 169.254.1.2-Outgoing [DECODE] Open Cap: unrecognized capability code 73 len 47