In some cases, it is necessary to control the FortiAPs remotely, under these cases, since it is not a local installation where the FortiGate is located as a Wireless Controller, it is necessary to activate properly the CAPWAP traffic in all paths. 

The topology comprises the following modality:

1. iBGP peering Hub FortiGate-60F:

NGFW-2 (root) # config router bgp

NGFW-2 (bgp) # show

config router bgp

    set as 65000   

    set router-id 1.1.1.1    -------- Set router ID

    config neighbor

        edit "10.100.201.88"   ------------ Neighbor IP FortiWifi-61F Spoke1 PortB

            set remote-as 64511  ----- AS Number internal

            set update-source "internal7"   ---------- Physical interface on FortiGate-60E_Hub

        next

 edit "10.10.10.2"    <----- IP Tunnel from FortiWifi-61F Spoke1, make sure to use  the correct tunnel IP, otherwise the FortiAP will be offline.

            set advertisement-interval 1

            set ebgp-enforce-multihop enable

            set link-down-failover enable

            set remote-as 64511  <----- AS number from the FortiWifi-61F Spoke1.

        next

    end

    config network     <----- Networks behind FortiGate-60E_Hub.

        edit 1

            set prefix 10.10.80.0 255.255.255.0

        next

        edit 2

            set prefix 192.168.56.0 255.255.255.0

        next

        edit 3

            set prefix 192.168.45.0 255.255.255.0

        next

        edit 4

            set prefix 10.100.201.0 255.255.255.0

        next

        edit 5

            set prefix 90.90.90.0 255.255.255.0

        next

    end

    config redistribute "connected"

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

    config redistribute6 "connected"

    end

    config redistribute6 "rip"

    end

    config redistribute6 "ospf"

    end

    config redistribute6 "static"

    end

    config redistribute6 "isis"

    end

end

2. iBGP peering FortiWiFi61F_Spoke1:

FortiWiFi-61F # config router bgp

FortiWiFi-61F (bgp) # show

config router bgp

    set as 64511  <----- AS iBGP.

    set router-id 2.2.2.2  <----- Set router ID.

    config neighbor

        edit "10.10.10.1"<----- Tunnel IP from FortiGate-60E_Hub.

            set ebgp-enforce-multihop enable

            set remote-as 65000

        next

        edit "10.100.201.86"  <----- IP from FortiGate-60E_Hub Internal7 port.

            set remote-as 64511

            set update-source "b"  <----- Physical interface from FortiWifi-61F Spoke1.

        next

    end

    config network  <----- Networks behind FortiWifi-61F Spoke1.

        edit 1

            set prefix 10.10.56.0 255.255.255.0

        next

        edit 2

            set prefix 192.168.1.0 255.255.255.0

        next

        edit 3

            set prefix 10.253.240.0 255.255.240.0

        next

        edit 4

            set prefix 10.255.1.0 255.255.255.0

        next

        edit 5

            set prefix 197.168.1.0 255.255.255.0

        next

    end

    config redistribute "connected"

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

    config redistribute6 "connected"

    end

    config redistribute6 "rip"

    end

    config redistribute6 "ospf"

    end

    config redistribute6 "static"

    end

    config redistribute6 "isis"

    end

end

3. Validate BGP neighbors from FortiGate Hub:

NGFW-2 (root) # get router info bgp neighbors

VRF 0 neighbor table:

BGP neighbor is 10.10.10.2, remote AS 64511, local AS 65000, external link

  BGP version 4, remote router ID 2.2.2.2

  BGP state = Established, up for 3d16h24m

  Last read 00:00:29, hold time is 180, keepalive interval is 60 seconds

  Configured hold time is 180, keepalive interval is 60 seconds

  Neighbor capabilities:

    Route refresh: advertised and received (old and new)

    Address family IPv4 Unicast: advertised and received

    Address family VPNv4 Unicast: advertised

    Address family IPv6 Unicast: advertised and received

    Address family VPNv6 Unicast: advertised

    Address family L2VPN EVPN: advertised

  Received 9856 messages, 0 notifications, 0 in queue

  Sent 9851 messages, 1 notifications, 0 in queue

  Route refresh request: received 0, sent 0

  NLRI treated as withdraw: 0

  Minimum time between advertisement runs is 1 seconds

 For address family: IPv4 Unicast

  BGP table version 7, neighbor version 7

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  3 accepted prefixes, 3 prefixes in rib

  5 announced prefixes

 For address family: VPNv4 Unicast

  BGP table version 1, neighbor version 1

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: IPv6 Unicast

  BGP table version 1, neighbor version 1

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: VPNv6 Unicast

  BGP table version 1, neighbor version 1

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: L2VPN EVPN

  BGP table version 1, neighbor version 1

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 Connections established 2; dropped 1

  External BGP neighbor may be up to 255 hops away.

Local host: 10.10.10.1, Local port: 179

Foreign host: 10.10.10.2, Foreign port: 13181

Egress interface: 61

Nexthop: 10.10.10.1

Nexthop interface: Hug FGate

Nexthop global: ::

Nexthop local: ::

BGP connection: non shared network

Last Reset: 3d16h25m, due to BGP Notification sent

Notification Error Message: (CeaseUnspecified Error Subcode)

BGP neighbor is 10.10.10.3, remote AS 64511, local AS 65000, external link

  BGP version 4, remote router ID 0.0.0.0

  BGP state = Active

  Last read         , hold time is 180, keepalive interval is 60 seconds

  Configured hold time is 180, keepalive interval is 60 seconds

  Received 0 messages, 0 notifications, 0 in queue

  Sent 0 messages, 0 notifications, 0 in queue

  Route refresh request: received 0, sent 0

  NLRI treated as withdraw: 0

  Minimum time between advertisement runs is 1 seconds

 For address family: IPv4 Unicast

  BGP table version 7, neighbor version 0

  Index 3, Offset 0, Mask 0x8

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: VPNv4 Unicast

  BGP table version 1, neighbor version 0

  Index 3, Offset 0, Mask 0x8

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: IPv6 Unicast

  BGP table version 1, neighbor version 0

  Index 3, Offset 0, Mask 0x8

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: VPNv6 Unicast

  BGP table version 1, neighbor version 0

  Index 3, Offset 0, Mask 0x8

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: L2VPN EVPN

  BGP table version 1, neighbor version 0

  Index 3, Offset 0, Mask 0x8

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 Connections established 0; dropped 0

  External BGP neighbor may be up to 255 hops away.

Egress interface: 0

Next connect timer due in 47 seconds

BGP neighbor is 10.100.201.88, remote AS 64511, local AS 65000, external link

  BGP version 4, remote router ID 0.0.0.0

  BGP state = Active

  Last read 00:00:05, hold time is 180, keepalive interval is 60 seconds

  Configured hold time is 180, keepalive interval is 60 seconds

  Received 94865 messages, 94865 notifications, 0 in queue

  Sent 236745 messages, 0 notifications, 0 in queue

  Route refresh request: received 0, sent 0

  NLRI treated as withdraw: 0

  Minimum time between advertisement runs is 30 seconds

  Update source is internal7

 For address family: IPv4 Unicast

  BGP table version 7, neighbor version 0

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: VPNv4 Unicast

  BGP table version 1, neighbor version 0

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: IPv6 Unicast

  BGP table version 1, neighbor version 0

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: VPNv6 Unicast

  BGP table version 1, neighbor version 0

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: L2VPN EVPN

  BGP table version 1, neighbor version 0

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 Connections established 0; dropped 0

Egress interface: 0

Next connect timer due in 88 seconds

Last Reset: 00:00:05, due to BGP Notification received

Notification Error Message: (OPEN Message Error/Bad Peer AS.)

NGFW-2 (root) #

4. Validate BGP neighbors from FortiWiFi61F_Spoke1:

FortiWiFi-61F # get router info bgp neighbors

VRF 0 neighbor table:

BGP neighbor is 10.10.10.1, remote AS 65000, local AS 64511, external link

  BGP version 4, remote router ID 1.1.1.1

  BGP state = Established, up for 3d16h26m

  Last read 00:00:57, hold time is 180, keepalive interval is 60 seconds

  Configured hold time is 180, keepalive interval is 60 seconds

  Neighbor capabilities:

    Route refresh: advertised and received (old and new)

    Address family IPv4 Unicast: advertised and received

    Address family IPv6 Unicast: advertised and received

  Received 9848 messages, 0 notifications, 0 in queue

  Sent 9860 messages, 1 notifications, 0 in queue

  Route refresh request: received 0, sent 0

  NLRI treated as withdraw: 0

  Minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast

  BGP table version 18, neighbor version 17

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  5 accepted prefixes, 5 prefixes in rib

  3 announced prefixes

 For address family: IPv6 Unicast

  BGP table version 1, neighbor version 1

  Index 1, Offset 0, Mask 0x2

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 Connections established 2; dropped 1

  External BGP neighbor may be up to 255 hops away.

Local host: 10.10.10.2, Local port: 13181

Foreign host: 10.10.10.1, Foreign port: 179

Egress interface: 36

Nexthop: 10.10.10.2

Nexthop interface: TestSpoke1

Nexthop global: ::

Nexthop local: ::

BGP connection: non shared network

Last Reset: 3d16h26m, due to BGP Notification sent

Notification Error Message: (Hold Timer Expired/Unspecified Error Subcode)

BGP neighbor is 10.100.201.86, remote AS 64511, local AS 64511, internal link

  BGP version 4, remote router ID 0.0.0.0

  BGP state = Active

  Last read 00:00:06, hold time is 180, keepalive interval is 60 seconds

  Configured hold time is 180, keepalive interval is 60 seconds

  Received 94921 messages, 1 notifications, 0 in queue

  Sent 142316 messages, 94878 notifications, 0 in queue

  Route refresh request: received 0, sent 0

  NLRI treated as withdraw: 0

  Minimum time between advertisement runs is 30 seconds

  Update source is b

 For address family: IPv4 Unicast

  BGP table version 18, neighbor version 0

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 For address family: IPv6 Unicast

  BGP table version 1, neighbor version 0

  Index 2, Offset 0, Mask 0x4

  Community attribute sent to this neighbor (both)

  0 accepted prefixes, 0 prefixes in rib

  0 announced prefixes

 Connections established 1; dropped 1

Egress interface: 0

Next connect timer due in 99 seconds

Last Reset: 00:00:06, due to BGP Notification sent

Notification Error Message: (OPEN Message Error/Bad Peer AS.)

FortiWiFi-61F #

5. Configure the VPN under FortiGate Hub Phase 1:

NGFW-2 (root) # config vpn ipsec phase1-interface

NGFW-2 (phase1-interface) # show

config vpn ipsec phase1-interface

    edit "Hug FGate"      <----- Interface name, this one should be used for FortiWiFi-61F_Spoke1.

        set type dynamic

        set interface "internal7"    <----- Physical interface.

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set add-route disable

        set dpd on-idle

        set comments "VPN: Hug FGate 

        set wizard-type hub-fortigate-auto-discovery

        set auto-discovery-sender enable

        set psksecret ENC 0aQJPmc3qx+KeM/Apc/qfspLg+GkSZv1UEpuqpkHUa0j95TqICH045FSf7a1qdH1+T6DJjWsYJpAvHMYTg8hOuHjW

3abglkIwVXRTTnnWG4Cjfgrj8FpJDE6PLWm/Vn8TayOsMgBD4pw9MCKxlAaZMN2K0aFltY

b3zc3W+xADPuwF/DuFV2887vcWoS0++SZtZOoSVlmMjY3dkVA

    next

VPN Phase2:

NGFW-2 (root) # config vpn ipsec phase2-interface

NGFW-2 (phase2-interface) # show

config vpn ipsec phase2-interface

    edit "Hug FGate"    -------------------------Interface name

        set phase1name "Hug FGate"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: Hug FGate 

    next

6. Configure the VPN under FortiWiFi61F_Spoke1 Phase 1:

FortiWiFi-61F (phase1-interface) # show

config vpn ipsec phase1-interface

    edit "TestSpoke1"    <----- Mame.

        set interface "b"  <----- Physical interface.

        set peertype any

        set net-device enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set add-route disable

        set dpd on-idle

        set comments "VPN: TestSpoke1 (Created by VPN wizard)"

        set wizard-type spoke-fortigate-auto-discovery

        set auto-discovery-receiver enable

        set remote-gw 10.100.201.86  <----- IP from FortiGate-60E_Hub Internal7.

        set psksecret ENC Ls8eujSET/VBgajrpDmo5OJf3riwUOV

gAuJn4pUANam2bvgfslq0LqMOtVmGaYMdFUBR/PvC1obI7h4FJagY3jDriWuUwI0P/RkPbXyL57FKKnjmXo0HzN70aAj8Zimy4artakE2+F1LVSgHQ+X0DokChnyklpSBETp

ywsLgm0fjqUtUxKM+KWUGz7XpktVsUpYiXg==       -

    next

end

VPN Phase2:

FortiWiFi-61F (phase2-interface) # show

config vpn ipsec phase2-interface

    edit "TestSpoke1"

        set phase1name "TestSpoke1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: TestSpoke1 

    next

end

Checking VPN tunnel UP:

Include Firewall policies that allow the FortiAP to be online, as well as the Security Fabric activation on Tunnel 10.10.10.1 and Internal7 10.100.201.86 from FortiGate-60F.

FortiAP is connected on Internal1 under FortiWi-61F_Spoke1, 'it must not have Security Fabric activated', this interface is using segment 192.168.1.0/24, and the FortiAP is getting IP address:

This FortiAP should use 10.10.80.1 as WLC IP from FortiGate-60E_Hub and must be reachable tat hat IP address:

The FortiGate-60E_Hub must reach by ping the FortiAP IP address:

FortiAP is online and controlled by the FortiGate-60E_Hub, connected Via the iBGP VPN IP sec tunnel:

Every FortiAP under remote management mode should use SSIDs with Bridge mode, this is best practice to avoid high latency, all traffic on this SSID Bridge mode, will use the 

local traffic or uses the local Internet gateway.

Sometimes, FortiAP may be offline. To recover the wireless service, follow the instructions in Troubleshooting Tip: FortiAP Offline: Complete Consolidated Troubleshooting & Checklist.