New Member

Question

Full Mesh VPN Question

Forum|Forum|11 years ago
June 30, 2014
7 replies
15559 views

Hello everyone, I was wondering if the Fortigate can do full mesh VPNs with other Fortigates. I saw that using the VPN Concentrator feature, you can do hub and spoke connection but I am looking for a solution that will enable spokes to speak directly with each other without having to manually configure each tunnel. Some instructions or a link to a document or article would be much appreciated. Thanks much.

rwpatterson

New Member

I use the IPSec interface based tunnels in a zone. When you create the zone, there is a check box which either allows or disallows the spokes to communicate with each other. The benefit with this approach is that you can treat all the remote sites as one. One set of policies is really easier to manage...

ede_pfau

SuperUser

Which still is a hub-and-spoke config. The main drawback of this is that if the hub fails, all communication from hub to spokes and between spokes fails. A true fully meshed VPN is redundant. If one endpoint fails only this location is taken out. Traffic between the other locations is not affected. Drawback: for n locations you need to create (and maintain!) n*(n-1)/2 tunnels. As of FortiOS 5.0 there is no wizard to automatically create all tunnel definitions, from a set of locations. I haven' t looked this up in FOS 5.2 but I doubt it will support this.

emnoc

New Member

Agreed, if you want a fully mesh build a full mesh. Also keep in mind in a hub-spoke your bandwidth usage it utilized high for traffic entering and leaving a hub. A few Drawback to a full mesh, as you grow site there' s more work involved static routing becomes tedious at best ( ideal for dynamic-routing w/Rt-based VPNs ) Also fwpolicies creations, can becomes more work also Also I would guess that CPU/Memory consumption would be higher also On a smaller appliance you might run out of vpn-interfaces ( review the fortinet Max matrixs & values very carefully for any restriction on number of tunnels/routes/interfaces/etc.....) Even with all of the above, a full-mesh is much better in so many ways.

Carl_Wallmark

New Member

In a FortiManager you can build a full-mesh network, and then push it out to all fortigates. From the FortiManager Administrative Guide:

You can create full meshed, star, and dial up VPN topologies. Once you have created the topology, you can create the VPN gateway.

rwpatterson

New Member

You could also look into a hybrid, where a few stronger nodes are hubs as well.

xlloydAuthor

New Member

Thanks for the responses all. I think using the FortiManager will be the way to go. I' ll see if I can lab it up to try it.

hklb

Visitor III

Hello,

The only solution is the fortimanager ?

I have some customer with juniper SSG, and there is the ACVPN (https://kb.juniper.net/InfoCenter/index?page=content&id=KB28228). With that, the VPN between each spoke is automaticaly created.

emnoc

New Member

ACVPN and DMVPN are screen and cisco technologies respectively, neither have been deployed in a fortinet or anything similar. In fact even CSCO skipped DMVPN or GETVPN in a ASA.

So unless FTNT plans on deploy something similar in a fortiOS , that you will have to wait.

All of thee above are a multi-PT architect, but fortinet has never throw there ball into the game for whatever reasons.

hklb

Visitor III

Hi,

For information (for the next guy searching this information) : In Fortios 5.4, there is a new feature called "ADVPN" and there is a cookbook on this topic :

http://cookbook.fortinet.com/configuring-advpn-in-fortios-5-4-dynamic-hub-and-spoke-vpns/

Lucas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded