How to setup BGP on Fortigate over Dial-up VPN Connections with Mode-config
Vložit
- čas přidán 28. 05. 2024
- In this step-by-step tutorial, Learn how to setup BGP on Fortigate over Dial-up VPN connections, we use Mode-config for dynamic ip address allocation as well as iBGP to advertise networks between sites!
- Věda a technologie
This has been a definate learning experience for me making this video....again 😀 I want to thank @oinkersable for spotting an issue with the video...which is now rectified...
The video covers:
1. Basic Dialup VPN
2. How to use Mode-config (DHCP for tunnel interfaces)
3. Basic Fortigate tests and verifications
4. BGP!
Enjoy!
Thank you
@@MrSatadal for sure! I'm particularly interested to hear your thoughts about this config 😀
Can you use this as a backup to a static IPSec VPN ?
Yes absolutely..
Nice job, you must have read my mind! .. I was about to ask you about this. I was wondering the dynamic IP addresses used as VTIs for BGP at the spoke will change every time you reload ?
Ah man I’m so happy this has been of value, let’s keep at it…
ok so the VTI's stay the same always when you reload .. Is that correct? ..
That's a critical point you're raising and the simple way to address that I think would be with the following config update on the DC fortigate:
config router bgp
set as 100
set router-id 1.1.1.1
set recursive-next-hop enable
config neighbor-group
edit "remote-fw"
set remote-as 100
next
end
config neighbor-range
edit 1
set prefix 172.16.100.0 255.255.255.0 ----->define the range as the VTI address scope, you can make this smaller if you need to.
set max-neighbor-num 2 ----------> also this should probably match the number of peers you expect should peer with your DC FW.
set neighbor-group "remote-fw"
next
end
There's a similar config here:
community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127
Thanks, could you please explain the neighbor-group and neighbor range configs? So if I defined the phase1 range as
set ipv4-start-ip 10.215.1.1
set ipv4-end-ip 10.215.1.250
set ipv4-netmask 255.255.255.0
and then defined the prefix as
set prefix 10.215.1.0 255.255.255.0
Does that mean the hub will setup a bgp neighbor for each ip it address it's allocated for the spokes ? Is there a way to control which ip address is allocated for which spoke and keep it that way.
I'm trying to make sense of the below config, I can add the max-neighbor command .
config router bgp
set as 65410
set router-id 10.20.41.1
set ibgp-multipath enable
config neighbor-group
edit "SPOKE_ISP_1"
set interface "TUN_INET_ISP1"
set remote-as 65400
set update-source "TUN_INET_ISP1"
set route-reflector-client enable
next
edit "SPOKE_ISP_2"
set interface "TUN_INET_ISP2"
set remote-as 65410
set update-source "TUN_INET_ISP2"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.215.1.0 255.255.255.0
set neighbor-group "SPOKE_ISP_1"
next
edit 2
set prefix 10.215.1.0 255.255.255.0
set neighbor-group "SPOKE_ISP_2"
next
end