Technical Tip: Configuring ADVPN and analyzing logs

This article describes how to configure ADVPN setup and what logs are observed for spoke-to-spoke dynamic tunnel negotiation.

FortiGate.

The FortiGate feature ADVPN can be set up to establish direct tunnels negotiated dynamically between two spokes in a hub and spoke architecture.

The setup for this example is as follows:

Hub --------> Spoke 1, Hub --------> Spoke 2

After enabling ADVPN, the setup will look like this:

Hub --------> Spoke 1, Hub --------> Spoke 2 and Spoke 1 ------> Spoke 2

The following is the step-by-step guide on how to configure ADVPN:

On the Hub the configuration will look like this:

• IPsec phase1-interface and phase2-interface config:

config vpn ipsec phase1-interface

    edit "advpn-hub"

        set type dynamic

        set interface "port4" <-–--- WAN Port.

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1   aes256-sha1 3des-sha1

        set add-route disable

        set dpd on-idle

        set auto-discovery-sender enable <----- Enable ADVPN on Hub.

        set psksecret password

        set dpd-retryinterval 5

config vpn ipsec phase2-interface

    edit "advpn-hub"

        set phase1name "advpn-hub"

        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256

• IPsec tunnel interface IP address.

edit "advpn-hub"

    set vdom "root"

    set ip 10.10.10.254 255.255.255.255

    set type tunnel

    set remote-ip 10.10.10.253 255.255.255.0

    set snmp-index 15

    set interface "port4"

• Hub BGP configuration.

config router bgp

    set as 65412

config neighbor-group

    edit "advpn"

       set link-down-failover enable

       set remote-as 65412

       set route-reflector-client enable <----- Making Hub as BGP RR.

   next

config neighbor-range

    edit 1

        set prefix 10.10.10.0 255.255.255.0

        set neighbor-group "advpn"

    next

config network

    edit 1

        set prefix 10.100.0.0 255.255.240.0 <----- Hub LAN Subnet.

    next

On Spoke 1, the configuration will look like the following.

• IPsec phase1-interface and phase2-interface config:

config vpn ipsec phase1-interface

    edit "spoke1"

        set interface "port5" <–--- WAN Port.

        set peertype any

        set net-device enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256sha1

        set dpd on-idle

        set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.

        set remote-gw 10.40.51.214

        set psksecret password

        set dpd-retryinterval 5

config vpn ipsec phase2-interface

    edit "spoke1"

        set phase1name "spoke1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256           aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

• IPsec tunnel interface IP address.

edit "spoke1"

    set vdom "root"

    set ip 10.10.10.1 255.255.255.255

    set type tunnel

    set remote-ip 10.10.10.254 255.255.255.0 <-–--- Hub Tunnel IP.

    set snmp-index 13

    set interface "port5"

• Spoke 1 BGP configuration.

config router bgp

    set as 65412

config neighbor

    edit "10.10.10.254"

        set advertisement-interval 1

        set link-down-failover enable

        set remote-as 65412

    next

end

config network

    edit 1

        set prefix 10.103.0.0 255.255.240.0 <----- Spoke 1 Lan Subnet.

    next

On Spoke 2, the configuration will look like the following:

• IPsec phase1-interface and phase2-interface config:

config vpn ipsec phase1-interface

    edit "spoke2"

        set interface "port1" <-–--- WAN Port.

        set peertype any

        set net-device enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha

        set dpd on-idle

        set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.

        set remote-gw 10.40.51.214

        set psksecret password

        set dpd-retryinterval 5

config vpn ipsec phase2-interface

    edit "spoke2"

        set phase1name "spoke2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

• IPsec tunnel interface IP address.

edit "spoke2"

    set vdom "root"

    set ip 10.10.10.3 255.255.255.255

    set type tunnel

    set remote-ip 10.10.10.254 255.255.255.0 <----- Hub Tunnel IP.

    set snmp-index 13

    set interface "port1"

• Spoke 2 BGP configuration.

config router bgp

    set as 65412

config neighbor

    edit "10.10.10.254"

          set advertisement-interval 1

          set link-down-failover enable

          set remote-as 65412

config network

    edit 1

        set prefix 10.104.0.0 255.255.240.0 <----- Spoke 2 Lan.Subnet

    next

Note:

• When net-device is disabled, all dialup tunnels share an interface on the hub.
• When net-device is enabled, dynamic interfaces are created on the hub for each dialup tunnel.

Run diagnose commands to check VPN and BGP status:

BGP Table on HUB:

Hub # get router info routing-table bgp

Routing table for VRF=0

B       10.103.0.0/20 [200/0] via 10.10.10.1 (recursive via advpn-hub tunnel 10.10.10.1), 2d21h59m

B       10.104.0.0/20 [200/0] via 10.10.10.3 (recursive via advpn-hub tunnel 10.10.10.3), 2d21h59m

BGP Table on Spoke1:

Spoke1 # get router info routing-table bgp

Routing table for VRF=0

B       10.100.0.0/20 [200/0] via 10.10.10.254, spoke1, 2d22h00m

B       10.104.0.0/20 [200/0] via 10.10.10.3, spoke1, 1d21h58m

BGP Table on Spoke2:

Spoke2 # get router info routing-table bgp

Routing table for VRF=0

B       10.100.0.0/20 [200/0] via 10.10.10.254, spoke2, 2d22h00m

B       10.103.0.0/20 [200/0] via 10.10.10.1, spoke2, 1d21h59m

VPN Table on HUB:

Hub # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

Tunnel with Spoke 2:

name=advpn-hub_0 ver=1 serial=8 10.40.51.214:0->10.40.51.197:0 tun_id=10.10.10.3 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1

Tunnel with Spoke 1:

name=advpn-hub_1 ver=1 serial=9 10.40.51.214:0->10.40.51.216:0 tun_id=10.10.10.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1

VPN Table on Spoke1:

Spoke1 # diagnose vpn tunnel list

Tunnel with Hub:

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke1 ver=1 serial=1 10.40.51.216:0->10.40.51.214:0 dst_mtu=1500

VPN Table on Spoke2:

Spoke2 # diagnose vpn tunnel list

Tunnel with Hub.

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke2 ver=1 serial=1 10.40.51.197:0->10.40.51.214:0 dst_mtu=1500

After initiating ping traffic from Spoke 1 Lan Subnet to Spoke 2 LAN Subnet, it triggers the formation of a shortcut tunnel between them.

Below are the ADVPN sequence of events that dictate how the Shortcut Tunnel negotiation takes place between Spoke 1 and Spoke 2:

1. Hub sends Shortcut Offer to Spoke 1.

ike 0: shortcut advpn-hub_1:10.40.51.216:0 to advpn-hub_0:10.40.51.197:0 for 10.103.3.216->10.104.3.197

ike 0 send shortcut-offer to advpn-hub_1

ike 0:advpn-hub_1:8: enc

ike 0:advpn-hub_1:8: sent IKE msg (SHORTCUT-OFFER): 10.40.51.214:500-10.40.51.216:500, len=220, vrf=0, id=012787d430278d8f/ae21a26df2ad43b7:e4100629 <-----

2. Spoke 1 receives Shortcut Offer from the HUB.

ike 0:spoke1:9: notify msg received: SHORTCUT-OFFER <-----

ike 0:spoke1: shortcut-offer 10.103.3.216->10.104.3.197 psk 64 ppk 0 ver 1 mode 0, peer-addr 10.40.51.197:500

ike 0 looking up shortcut by addr 10.104.3.197, name spoke1, peer-addr 10.40.51.197:500

3. Spoke 1 sends Shortcut Query to the HUB.

ike 0:spoke1: send shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ttl 32 nat 0 ver 1 mode 0

ike 0:spoke1:9: sent IKE msg (SHORTCUT-QUERY): 10.40.51.216:500->10.40.51.214:500, len=236, <-----

id=012787d430278d8f/ae21a26df2ad43b7:9f3f828c

4. HUB receives Shortcut Query from Spoke 1.

ike 0:advpn-hub_1:8: notify msg received: SHORTCUT-QUERY <-----

ike 0:advpn-hub_1: recv shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 32 nat 0 ver 1 mode 0

ike 0:advpn-hub: iif 21 10.103.3.216->10.104.3.197 route lookup oif 21 advpn-hub gwy 10.10.10.3

5. HUB forwards Shortcut Query to Spoke 2.

ike 0:advpn-hub_0: forward shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 31 ver 1 mode 0, ext-mapping 10.40.51.197:500

ike 0:advpn-hub_0:9: enc

ike 0:advpn-hub_0:9: sent IKE msg (SHORTCUT-QUERY): 10.40.51.214:500->10.40.51.197:500, len=236, vrf=0, <-----

id=e82803871055e57c/4cd9f6960772b271:fe1a6904

6. Spoke 2 receives Shortcut Query forwarded by HUB.

ike 0:spoke2:12: notify msg received: SHORTCUT-QUERY <-----

ike 0:spoke2: recv shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 31 nat 0 ver 1 mode 0

ike 0:spoke2: iif 19 10.103.3.216->10.104.3.197 route lookup oif 13 root

ike 0:spoke2: shortcut-query received from 10.40.51.197:500, local-nat=no, peer-nat=no

7. Spoke 2 sends Shortcut Reply to the HUB.

ike 0:spoke2: send shortcut-reply 18174035847785826865  44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0

ike 0:spoke2:12: sent IKE msg (SHORTCUT-REPLY): 10.40.51.197:500->10.40.51.214:500, len=220, <-----id=e82803871055e57c/4cd9f6960772b271:3224b45c

8. HUB forwards Shortcut Reply to Spoke 1.

ike 0:advpn-hub_0:9: notify msg received: SHORTCUT-REPLY

ike 0:advpn-hub_0: recv shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 0.0.0.0:0

ike 0:advpn-hub_1: forward shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ttl 31 ver 1 mode 0 ext-mapping 10.40.51.197:500

ike 0:advpn-hub_1:8: sent IKE msg (SHORTCUT-REPLY): 10.40.51.214:500->10.40.51.216:500, len=236, vrf=0, <-----

id=012787d430278d8f/ae21a26df2ad43b7:d8bda5c9

9. Spoke 1 receives Shortcut Reply from HUB.

ike 0:spoke1:9: notify msg received: SHORTCUT-REPLY <-----

ike 0:spoke1: recv shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 10.40.51.197:500

ike 0:spoke1: iif 19 10.104.3.197->10.103.3.216 route lookup oif 13 root

ike 0:spoke1: shortcut-reply received from 10.40.51.197:500, local-nat=no, peer-nat=no

10. Spoke 1 then starts the negotiation of a shortcut/direct tunnel with Spoke 2.

ike 0:spoke1: created connection: 0xca63f00 7 10.40.51.216->10.40.51.197:500.

ike 0:spoke1: adding new dynamic tunnel for 10.40.51.197:500

ike 0:spoke1_0: added new dynamic tunnel for 10.40.51.197:500

ike 0:spoke1_0: shortcut selector added, new serial 1

ike 0:spoke1_0:10: initiator: main mode is sending 1st message...

VPN Table on Spoke1:

Spoke1 # diagnose vpn tunnel list

Tunnel with Hub.

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke1 ver=1 serial=1 10.40.51.216:0->10.40.51.214:0 dst_mtu=150

Tunnel with Spoke 2.

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke1_0 ver=1 serial=1 10.40.51.216:0->10.40.51.197:0 dst_mtu=1500

VPN Table on Spoke2:

Spoke2 # diagnose vpn tunnel list

Tunnel with Hub.

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke2 ver=1 serial=1 10.40.51.197:0->10.40.51.214:0 dst_mtu=1500

Tunnel with Spoke 1.

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke2_0 ver=1 serial=1 10.40.51.197:0->10.40.51.216:0 dst_mtu=1500