Skip to main content
Aghiles
Aghiles
New Member
June 30, 2019
Question

DMVPN: Fortigate as HUB and Cisco Routers as Scope

  • June 30, 2019
  • 2 replies
  • 18852 views

Hi,

 

One of my customers want to replace his Cisco Router, configured as DMVPN Hub, with a fortigate 1000D firewall.

The cisco Router is used to create VPNs with other cisco router, in the spoc sites.

 

Do Fortigate support DMVPN and is there a way to make this configuration running without replacing the cisco routers on the spoc sites.

 

Best regards 

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 30, 2019

    DMVPN is Cisco proprietary and is not supported in FortiOS.

    As far as I understand the (Wikipedia article about) DMVPN it is hub-and-spoke, but at the same time fully meshed, using dynamic routing and a lot of other stuff. I'd think you could build that with Fortigates but with conventional means only, meaning, a lot of effort.

    hubertzw
    hubertzw
    New Member
    June 30, 2019

    Auto Discovery VPN (ADVPN) is a Fortinet proprietary protocol. This is pretty much the same concept as DMVPN but available only on FortiGates:

     

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD39360

     

    gahlberg
    Staff
    gahlberg
    Staff
    July 21, 2024

    ADVPN is not a Fortinet proprietary protocol, it is a standard RFC from back in 2013 written by HP and Juniper Networks, see: https://datatracker.ietf.org/doc/html/rfc7018 

    However, the implementation of the ADVPN Standard on FortiOS only works with Fortinet devices, but by no means is ADVPN in a general sense proprietary.  Back when ADVPN was being developed (at the sametime) Cisco was pushing DMVPN to become a standard, but it never made it to that stage, and ADVPN won out.  Cisco's DMVPN only made it to the draft stage and never made it to a published RFC.  DMVPN is therefore only proprietary to Cisco and has several drawbacks in comparison to ADVPN, like the additional overhead of GRE and NHRP, as an example.

    BGauth
    BGauth
    New Member
    November 6, 2025

    Keeping an old tread alive.  I agree the DMVPN isn't a "standard" in the truest sense.  But, there is a huge caveat to that.  All DMVPN consists of is IPSEC, GRE, NHRP and a Dynamic routing protocol.  Other vendors have adopted this solution using these defined standards.  It would be nice if NHRP made it to the list of protocols that Fortinet supported.  Not having it I believe is more of a marketing solution.  All VPN solutions have overhead.  I'm not sure its fair to define all overhead equally.  NHRP does introduce memory and processing overhead true but not in the sense of packet MTU overhead.  ADVPN does not require the 24 bytes or overhead introduced by GRE so in that case it is a winner but I'm not sure that will be noticeable for most use cases unless you are pushing for ultra low latency on congested interfaces.  

     

    Instead of DMVPN being a standard I would rather say its a concept or implementation using standards.

    Terms & ConditionsAccessibility statement