FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff
Article Id 323429

 

Description This article describes how to configure ADVPN which Hub assigns tunnel IP addresses to spokes automatically.
Scope FortiGate.
Solution

Screenshot 2024-07-01 132142.png

 

The topology in this example is ADVPN Hub and Spokes as per the above diagram.

  • Port1 is the WAN link for all devices.
  • 10.10.1.0/24 is used for the ADVPN topology. Hub will assign 10.10.1.x to spokes.
  • BGP is the routing protocol.
  • 10.177.0.0/20 is the local network behind the Hub. 10.207.0.0/22 and 10.227.0.0/20 are local networks behind spokes.

 

To configure Hub:

 

config vpn ipsec phase1-interface
    edit "Hub-to-Spokes"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set ipv4-start-ip 10.10.1.3
        set ipv4-end-ip 10.10.1.254
        set ipv4-netmask 255.255.255.0
        set psksecret <pre-shared key>
end

 

config vpn ipsec phase2-interface
    edit "Hub-to-Spokes"
        set phase1name "Hub-to-Spokes"
        set proposal aes256-sha256
    next
end

config system interface
    edit "Hub-to-Spokes"
        set vdom "root"
        set ip 10.10.1.1 255.255.255.255
        set type tunnel
        set remote-ip 10.10.1.2 255.255.255.0
        set snmp-index 15
        set interface "port1"
    next
end

 

config router bgp
    set as 65400
        config neighbor-group
            edit "ADVPN"
                set advertisement-interval 1
                set activate6 disable
                set link-down-failover enable
                set remote-as 65400
                set route-reflector-client enable
            next
        end
        config neighbor-range
            edit 1
                set prefix 10.10.1.0 255.255.255.0
                set neighbor-group "ADVPN"
            next
        end
        config network
            edit 1
                set prefix 10.177.0.0 255.255.240.0
            next
            edit 2
                set prefix 10.10.1.0 255.255.255.0
            next
        end

end

 

To configure Spoke1:

 

config vpn ipsec phase1-interface
    edit "Spokes-to-Hub"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set remote-gw 10.47.4.65
        set psksecret <pre-shared key>

    next
end

 

config vpn ipsec phase2-interface
    edit "Spokes-to-Hub"
        set phase1name "Spokes-to-Hub"
        set proposal aes256-sha256
    next
end

 

config system interface
    edit "Spokes-to-Hub"
        set vdom "root"
        set allowaccess ping
        set type tunnel
        set snmp-index 15
        set interface "port1"
    next
end

 

config router bgp
    set as 65400
        config neighbor
            edit "10.10.1.1"
                set activate6 disable
                set remote-as 65400
            next
        end
        config network
            edit 1
                set prefix 10.207.0.0 255.255.240.0
            next
        end

end

 

To configure Spoke2:

 

config vpn ipsec phase1-interface
    edit "Spokes-to-Hub"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set remote-gw 10.47.4.65
        set psksecret <pre-shared key>

    next
end

 

config vpn ipsec phase2-interface:

    edit "Spokes-to-Hub"
        set phase1name "Spokes-to-Hub"
        set proposal aes256-sha256
    next
end

 

config system interface
    edit "Spokes-to-Hub"
        set vdom "root"
        set allowaccess ping
        set type tunnel
        set snmp-index 15
        set interface "port1"
    next
end

 

config router bgp
    set as 65400
        config neighbor
            edit "10.10.1.1"

                set activate6 disable
                set remote-as 65400
            next
        end
        config network
            edit 1
                set prefix 10.227.0.0 255.255.240.0
            next
        end

end

 

To verify Hub assigned IP address to spokes:

Use the command 'diagnose vpn ike gateway'.
In this example, Hub assigned 10.10.1.3 and 10.10.1.4 to spokes.

FortiGate_Hub # diagnose vpn ike gateway

vd: root/0
name: Hub-to-Spokes_1
version: 2
interface: port1 3
addr: 10.47.4.65:500 -> 10.47.1.243:500
tun_id: 10.10.1.4/::10.0.3.218
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.10.1.1 -> 10.10.1.2
created: 2673s ago
peer-id: 10.47.1.243
peer-id-auth: no
assigned IPv4 address: 10.10.1.4/255.255.255.0
auto-discovery: 1 sender
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/2 established 1/2 time 0/0/0 ms

id/spi: 1022 1e416d0d47ecc700/ca1908b355cf43f6
direction: responder
status: established 2673-2673s ago = 10ms
proposal: aes256-sha256
child: no
SK_ei: 7b70a59900a51025-0e99105baf025f7c-abee7183c23a8925-3da0ef12b68a821d
SK_er: f9152ad12fc5d2a2-b60b74716c4ed75a-ebcc506485530f8c-50763fa2ea96861e
SK_ai: e82e0854762af950-02dcafc18e76a21e-5b4cb2b8cd26855c-a599c9c2f8375e2d
SK_ar: fda183abf38f61a8-5e1b50ad86e116fe-8e2f5fa5d4d31c1d-472f2fc02bc84ef9
PPK: no
message-id sent/recv: 17/13
QKD: no
lifetime/rekey: 86400/83456
DPD sent/recv: 00000016/00000016
peer-id: 10.47.1.243

vd: root/0
name: Hub-to-Spokes_0
version: 2
interface: port1 3
addr: 10.47.4.65:500 -> 10.47.2.143:500
tun_id: 10.10.1.3/::10.0.3.219
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.10.1.1 -> 10.10.1.2
created: 2610s ago
peer-id: 10.47.2.143
peer-id-auth: no
assigned IPv4 address: 10.10.1.3/255.255.255.0
auto-discovery: 1 sender
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/2 established 1/2 time 0/0/0 ms

id/spi: 1023 3d63e2d967952c67/4fbe61adf9f2e003
direction: responder
status: established 2610-2610s ago = 0ms
proposal: aes256-sha256
child: no
SK_ei: 3ea8ed157d7cb2a3-4a49bb650afa93d8-0f5a78d54d45274a-6caac86323b54a02
SK_er: 6f53d68d08e6c8c4-016fe4143060b53e-3930d9ff0a437754-2eec7af432dc5b9e
SK_ai: 7e12babd11fb8fda-730f3cf419890822-1847db43de66efaa-3f454a068109a376
SK_ar: efa2b9989ffa35d8-c0404c432c1a9c4f-2b64b3fc904874a0-80a2206ec5f782fd
PPK: no
message-id sent/recv: 389/25
QKD: no
lifetime/rekey: 86400/83519
DPD sent/recv: 00000000/00000000
peer-id: 10.47.2.143

 

FortiGate_Hub # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.47.15.254, port1, [1/0]
C 10.10.1.0/24 is directly connected, Hub-to-Spokes
C 10.10.1.1/32 is directly connected, Hub-to-Spokes
C 10.47.0.0/20 is directly connected, port1
C 10.177.0.0/20 is directly connected, port2
B 10.207.0.0/20 [200/0] via 10.10.1.3 (recursive is directly connected, Hub-to-Spokes), 00:11:09, [1/0]
B 10.227.0.0/20 [200/0] via 10.10.1.4 (recursive is directly connected, Hub-to-Spokes), 00:12:52, [1/0]

 

Note:

As shown in above CLI configuration for IPSec phase1 on Hub, make sure to change the subnet mask 'set ipv4-netmask x.x.x.x' as per requirement. By default, the subnet mask is /32, which means FortiGate will allocate dynamic IPs with mask /32 on spokes.

It might cause connectivity issues as spokes will not inject any BGP route because spokes will not have a valid route for the next hop.