I recently had to setup remote access SSL VPN for a customer on a Fortinet firewall. The network runs OSPF internally and the customer asked we integrate the SSL VPN into their IGP. It’s a simple OSPF implementation that utilizes a VPLS leased line from their provider as a primary route to their COLO and a secondary IPSEC tunnel if the leased VPLS circuit goes down. OSPF handles the automatic failover.

First we went through the steps of configuring the SSL VPN, new IP range, user groups, LDAP settings, public DNS records, etc. After confirming we could successfully connect to the firewall remotely, we had to then setup the firewall to advertise into OSPF the new remote access IP range. Once the new prefix was added to the advertised networks list I began checking the routing table of other OSPF router participants. After all the neighbor adjacency was already in place, but low and behold the new IP range failed to show in the neighboring route tables. After doing a bit of research I discovered that the Fortinet firewall will only advertise the SSL VPN prefix through static route redistribution. The firewall operator must setup the appliance with a blackhole static route to the prefix, and then configure the firewall to redistribute static routes into OSPF.

The main problem with the solution above is that you may not want to redistribute every static route on the appliance into the OSPF domain. The below redistribute button in the UI is an all or nothing option.

A method of filtering static route redistribution on the firewall (like many networking devices) is to use Route Maps. Route Maps are a great way to define routing policy and customize redistribution into varying routing protocols.

First step is to create the Blackhole static route that we will then advertise into our OSPF domain. In the UI go to Network–> Static Routes –> and enter the following (whatever the new remote access IP Range is):

Once the static route’s in place the next step is to create an IP Prefix list. Hop into the appliance CLI and use the below commands.

The first configured rule is to match the SSL VPN IP Range, and the second is to deny all other IP ranges. Once prefix list is done the next task is to create the Route Map with the prefix list reference per below.

The last steps to finish is enabling static route redistribution into OSPF and to apply our new Route Map to the redistribution. The below few commands will get the task completed.

Barring the new prefix is in the network statements of the Fortigate firewall, after all of this you should start seeing the new IP range advertised into the OSPF autonomous system. The above can be done as well with an IP Access List on the Fortigate Firewall, but I find the prefix match list an easier method.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s