This configuration guide includes information needed to connect a FortiGate firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing.
Note: This guide was created using FortiOS version 5.6.0. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each FortiGate platform may have slightly different commands. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.
Variables Needed
You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your FortiGate firewall. Use these variables in the Configuration Script, below.
Variable | Source | Notes |
---|---|---|
<<<VPN NAME 1>>> | User-created | Limit to 12 characters |
<<<VPN NAME 2>>> | User-created | Limit to 12 characters |
<<<OUTISDE NETWORK INTERFACE>>> | FortiGate Configuration | The WAN interface of your firewall. If there are two, select the one bound to the IP address you will use as your VPN peer address. |
<<<INSIDE NETWORK INTERFACE>>> | FortiGate Configuration | The LAN interface of your firewall. If you have more than one, duplicate the rule for each inside interface name that needs to communicate with the other connections on the Pureport platform. |
<<<NETWORK NUMBER FOR SITE>>> and <<<SUBNET MASK FOR SITE>>> | FortiGate Configuration | The IP network and subnet mask for your LAN network. If you have more than one, repeat this command for each network you want to announce via BGP. |
dhgrp and proposal (phase 1 and phase 2) | Pureport console | Defaults are used in the example configuration |
<<<PUREPORT GATEWAY 1 IP ADDRESS>>> | Pureport console | |
<<<PRESHARED KEY FOR GATEWAY 1>>> | Pureport console | |
<<<PUREPORT GATEWAY 2 IP ADDRESS>>> | Pureport console | |
<<<PRESHARED KEY FOR GATEWAY 2>>> | Pureport console | |
<<<CUSTOMER VTI IP FOR GATEWAY 1>>> | Pureport console | |
<<<PUREPORT VTI IP FOR GATEWAY 1>>> | Pureport console | |
<<<CUSTOMER VTI IP FOR GATEWAY 2>>> | Pureport console | |
<<<PUREPORT VTI IP FOR GATEWAY 2>>> | Pureport console | |
<<<YOUR_BGP_ASN>>> | Fortigate Configuration / User-created | If you do not already have an ASN for BGP peering, we recommend using 65501. Review the "ASN selection" article for details. |
Configuration Script
When using this configuration script, use the variables, as listed in the table above.
config vpn ipsec phase1-interface edit <<<VPN NAME 1>>> set ike-version 2 set interface <<<OUTISDE NETWORK INTERFACE>>> set dpd on-idle set dhgrp 14 set nattraversal disable set proposal aes128-sha256 set keylife 28800 set remote-gw <<<PUREPORT GATEWAY 1 IP ADDRESS>>> set psksecret <<<PRESHARED KEY FOR GATEWAY 1>>> set dpd-retryinterval 5 next edit <<<VPN NAME 2>>> set ike-version 2 set interface <<<OUTISDE NETWORK INTERFACE>>> set dpd on-idle set dhgrp 14 set nattraversal disable set proposal aes128-sha256 set keylife 28800 set remote-gw <<<PUREPORT GATEWAY 2 IP ADDRESS>>> set psksecret <<<PRESHARED KEY FOR GATEWAY 2>>> set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit <<<VPN NAME 1>>> set phase1name <<<VPN NAME 1>>> set proposal aes128-sha256 set dhgrp 14 set keepalive enable set keylifeseconds 3600 next edit <<<VPN NAME 2>>> set phase1name <<<VPN NAME 2>>> set proposal aes128-sha256 set dhgrp 14 set keepalive enable set keylifeseconds 3600 next end config system interface edit <<<VPN NAME 1>>> set vdom "root" set ip <<<CUSTOMER VTI IP FOR GATEWAY 1>>> 255.255.255.255 set allowaccess ping set type tunnel set tcp-mss 1350 set remote-ip <<<PUREPORT VTI IP FOR GATEWAY 1>>> set interface <<<OUTISDE NETWORK INTERFACE>>> set role lan next edit <<<VPN NAME 2>>> set vdom "root" set ip <<<CUSTOMER VTI IP FOR GATEWAY 2>>> 255.255.255.255 set allowaccess ping set type tunnel set tcp-mss 1350 set remote-ip <<<PUREPORT VTI IP FOR GATEWAY 2>>> set interface <<<OUTISDE NETWORK INTERFACE>>> set role lan next end config router bgp set as <<<YOUR_BGP_ASN>>> set router-id <<<CUSTOMER GATWAY PUBLIC IP>>> set graceful-restart enable set ebgp-multipath enable config neighbor edit <<<PUREPORT VTI IP FOR GATEWAY 1>>> set remote-as 394351 next edit <<<PUREPORT VTI IP FOR GATEWAY 2>>> set remote-as 394351 next end config network edit 1 set prefix <<<NETWORK NUMBER FOR SITE>>> <<<SUBNET MASK FOR SITE>>> next end end ### ### PLEASE NOTE THAT THE FOLLOWING LINES PERMIT ALL TRAFFIC ### TO AND FROM YOUR INSIDE NETWORK AND ANY OTHER NETWORKS ### YOU CONNECT TO THE PUREPORT NETWORK. ### ### IF YOUR INTERNAL SECURITY POLICY REQUIRES MORE STRICT ### CONTROLS ON TRAFFIC YOU WILL NEED TO MODIFY THIS POLICY ### TO APPROPRIATELY LIMIT ACCESS. ### config firewall policy edit 0 set srcintf <<<VPN NAME 1>>> set dstintf <<<INSIDE NETWORK INTERFACE>>> set srcaddr all set dstaddr all set action accept set schedule always set service ALL next edit 0 set srcintf <<<INSIDE NETWORK INTERFACE>>> set dstintf <<<VPN NAME 1>>> set srcaddr all set dstaddr all set action accept set schedule always set service ALL next edit 0 set srcintf <<<VPN NAME 2>>> set dstintf <<<INSIDE NETWORK INTERFACE>>> set srcaddr all set dstaddr all set action accept set schedule always set service ALL next edit 0 set srcintf <<<INSIDE NETWORK INTERFACE>>> set dstintf <<<VPN NAME 2>>> set srcaddr all set dstaddr all set action accept set schedule always set service ALL next end |
Troubleshooting
This section contains information on troubleshooting the VPN and BGP configuration and connectivity.
VPN Status
After completing the configuration and adding Firewall policies, the VPN should come up immediately. To view the VPN status:
- Use the web interface and select Monitor > IPsec Monitor to view the individual tunnel status and restart tunnels, as needed.
or - Use the following CLI command:
get vpn ipsec tunnel summary
The console will return output similar to:'vpn-PUREPORT-0' xx.xx.xx.xx:0 selectors(total,up): 1/1 rx(pkt,err): 2523031/0 tx(pkt,err): 1154431/8
'vpn-PUREPORT-1' xx.xx.xx.xx:0 selectors(total,up): 1/1 rx(pkt,err): 807284/0 tx(pkt,err): 299249/8
You can also check the Log & Report section in the Web Interface for VPN Events and filter on the VPN names you used during configuration.
Tunnel Interfaces
To ensure the Tunnel Interfaces are up, ping both the local and Pureport sides of both tunnel interfaces. For example:
To ping Tunnel 1:
execute ping 169.254.1.1 execute ping 169.254.1.2 |
To ping Tunnel 2:
execute ping 169.254.2.1 execute ping 169.254.2.2 |
BGP Status
Check the BGP status via the command line using the following command:
get router info bgp summary |
The console will return output similar to:
BGP router identifier xx.xx.xx.xx, local AS number 65501 BGP table version is 7 4 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 169.254.1.2 4 394351 226 260 6 0 0 00:00:21 4 169.254.2.2 4 394351 317 361 5 0 0 00:00:30 4 |
If the State column indicates idle, connecting, or active, BGP peering has not been established. You should use the web interface and select Log & Report > Router Events to review the firewall logs, looking for entries regarding BGP.
BGP Routes
Check routes being recieved by BGP using the following command:
get router info bgp network |
Note: The following entries in the BGP logs are completely normal and simply reflect capabilities supported by the Pureport platform but not supported by FortiGate:
BGP: 169.254.1.2-Outgoing [DECODE] Open Cap: unrecognized capability code 69 len 4 BGP: 169.254.1.2-Outgoing [DECODE] Open Cap: unrecognized capability code 73 len 47 |