The topology in this example is ADVPN Hub and Spokes as per the above diagram.

• Port1 is the WAN link for all devices.
• 10.10.1.0/24 is used for the ADVPN topology. Hub will assign 10.10.1.x to spokes.
• BGP is the routing protocol.
• 10.177.0.0/20 (lan-hub) is the local network behind the Hub. 10.207.0.0/22 (spoke1-lan) and 10.227.0.0/20(spoke2-lan) are local networks behind spokes.

To configure Hub:

config vpn ipsec phase1-interface
    edit "Hub-to-Spokes"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set ipv4-start-ip 10.10.1.3
        set ipv4-end-ip 10.10.1.254
        set ipv4-netmask 255.255.255.0
        set psksecret <pre-shared key>
end

config vpn ipsec phase2-interface
    edit "Hub-to-Spokes"
        set phase1name "Hub-to-Spokes"
        set proposal aes256-sha256
    next
end

config system interface
    edit "Hub-to-Spokes"
        set vdom "root"
        set ip 10.10.1.1 255.255.255.255
        set type tunnel
        set remote-ip 10.10.1.2 255.255.255.0
        set snmp-index 15
        set interface "port1"
    next
end

config router bgp
    set as 65400
        config neighbor-group
            edit "ADVPN"
                set advertisement-interval 1
                set activate6 disable
                set link-down-failover enable
                set remote-as 65400
                set route-reflector-client enable
            next
        end
        config neighbor-range
            edit 1
                set prefix 10.10.1.0 255.255.255.0
                set neighbor-group "ADVPN"
            next
        end
        config network
            edit 1
                set prefix 10.177.0.0 255.255.240.0
            next
            edit 2
                set prefix 10.10.1.0 255.255.255.0
            next
        end

end

config firewall policy
  edit 1
      set name "spoke2hub"
      set srcintf "Hub-to-Spokes"
      set dstintf "lan-hub"
      set srcaddr "all"
      set dstaddr "10.177.0.0/20"
      set action accept
      set schedule "always"
      set service "ALL"
  next
  edit 2
      set name "spoke2spoke"
      set srcintf "Hub-to-Spokes"
      set dstintf "Hub-to-Spokes"
      set srcaddr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ALL"
 next
 end

To configure Spoke1:

config vpn ipsec phase1-interface
    edit "Spokes-to-Hub"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set remote-gw 10.47.4.65
        set psksecret <pre-shared key>

    next
end

config vpn ipsec phase2-interface
    edit "Spokes-to-Hub"
        set phase1name "Spokes-to-Hub"
        set proposal aes256-sha256
    next
end

config system interface
    edit "Spokes-to-Hub"
        set vdom "root"
        set allowaccess ping
        set type tunnel
        set snmp-index 15
        set interface "port1"
    next
end

config router bgp
    set as 65400
        config neighbor
            edit "10.10.1.1"
                set activate6 disable
                set remote-as 65400
            next
        end
        config network
            edit 1
                set prefix 10.207.0.0 255.255.240.0
            next
        end

end

config firewall policy
  edit 1
     set name "outbound_advpn_traffic"
     set srcintf "spoke1-lan"
     set dstintf "Spokes-to-Hub"
     set srcaddr "all"
     set dstaddr "all"
     set action accept
     set schedule "always"
     set service "ALL"
  next
  edit 2
     set name "inbound_advpn_traffic"
     set srcintf "Spokes-to-Hub"
     set dstintf "spoke1-lan"
     set srcaddr "all"
     set dstaddr "all"
     set action accept
     set schedule "always"
     set service "ALL"
  next
end

To configure Spoke2:

config vpn ipsec phase1-interface
    edit "Spokes-to-Hub"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-receiver enable
        set auto-discovery-shortcuts dependent
        set remote-gw 10.47.4.65
        set psksecret <pre-shared key>

    next
end

config vpn ipsec phase2-interface:

    edit "Spokes-to-Hub"
        set phase1name "Spokes-to-Hub"
        set proposal aes256-sha256
    next
end

config system interface
    edit "Spokes-to-Hub"
        set vdom "root"
        set allowaccess ping
        set type tunnel
        set snmp-index 15
        set interface "port1"
    next
end

config router bgp
    set as 65400
        config neighbor
            edit "10.10.1.1"

                set activate6 disable
                set remote-as 65400
            next
        end
        config network
            edit 1
                set prefix 10.227.0.0 255.255.240.0
            next
        end

end

config firewall policy
  edit 1
     set name "outbound_advpn_traffic"
     set srcintf "spoke2-lan"
     set dstintf "Spokes-to-Hub"
     set srcaddr "all"
     set dstaddr "all"
     set action accept
     set schedule "always"
     set service "ALL"
  next
  edit 2
     set name "inbound_advpn_traffic"
     set srcintf "Spokes-to-Hub"
     set dstintf "spoke2-lan"
     set srcaddr "all"
     set dstaddr "all"
     set action accept
     set schedule "always"
     set service "ALL"
  next
end

To verify Hub assigned IP address to spokes:

Use the command 'diagnose vpn ike gateway'. In this example, Hub assigned 10.10.1.3 and 10.10.1.4 to spokes.

FortiGate_Hub # diagnose vpn ike gateway

vd: root/0
name: Hub-to-Spokes_1
version: 2
interface: port1 3
addr: 10.47.4.65:500 -> 10.47.1.243:500
tun_id: 10.10.1.4/::10.0.3.218
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.10.1.1 -> 10.10.1.2
created: 2673s ago
peer-id: 10.47.1.243
peer-id-auth: no
assigned IPv4 address: 10.10.1.4/255.255.255.0
auto-discovery: 1 sender
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/2 established 1/2 time 0/0/0 ms

id/spi: 1022 1e416d0d47ecc700/ca1908b355cf43f6
direction: responder
status: established 2673-2673s ago = 10ms
proposal: aes256-sha256
child: no
SK_ei: 7b70a59900a51025-0e99105baf025f7c-abee7183c23a8925-3da0ef12b68a821d
SK_er: f9152ad12fc5d2a2-b60b74716c4ed75a-ebcc506485530f8c-50763fa2ea96861e
SK_ai: e82e0854762af950-02dcafc18e76a21e-5b4cb2b8cd26855c-a599c9c2f8375e2d
SK_ar: fda183abf38f61a8-5e1b50ad86e116fe-8e2f5fa5d4d31c1d-472f2fc02bc84ef9
PPK: no
message-id sent/recv: 17/13
QKD: no
lifetime/rekey: 86400/83456
DPD sent/recv: 00000016/00000016
peer-id: 10.47.1.243

vd: root/0
name: Hub-to-Spokes_0
version: 2
interface: port1 3
addr: 10.47.4.65:500 -> 10.47.2.143:500
tun_id: 10.10.1.3/::10.0.3.219
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 10.10.1.1 -> 10.10.1.2
created: 2610s ago
peer-id: 10.47.2.143
peer-id-auth: no
assigned IPv4 address: 10.10.1.3/255.255.255.0
auto-discovery: 1 sender
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/2 established 1/2 time 0/0/0 ms

id/spi: 1023 3d63e2d967952c67/4fbe61adf9f2e003
direction: responder
status: established 2610-2610s ago = 0ms
proposal: aes256-sha256
child: no
SK_ei: 3ea8ed157d7cb2a3-4a49bb650afa93d8-0f5a78d54d45274a-6caac86323b54a02
SK_er: 6f53d68d08e6c8c4-016fe4143060b53e-3930d9ff0a437754-2eec7af432dc5b9e
SK_ai: 7e12babd11fb8fda-730f3cf419890822-1847db43de66efaa-3f454a068109a376
SK_ar: efa2b9989ffa35d8-c0404c432c1a9c4f-2b64b3fc904874a0-80a2206ec5f782fd
PPK: no
message-id sent/recv: 389/25
QKD: no
lifetime/rekey: 86400/83519
DPD sent/recv: 00000000/00000000
peer-id: 10.47.2.143

FortiGate_Hub # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.47.15.254, port1, [1/0]
C 10.10.1.0/24 is directly connected, Hub-to-Spokes
C 10.10.1.1/32 is directly connected, Hub-to-Spokes
C 10.47.0.0/20 is directly connected, port1
C 10.177.0.0/20 is directly connected, port2
B 10.207.0.0/20 [200/0] via 10.10.1.3 (recursive is directly connected, Hub-to-Spokes), 00:11:09, [1/0]
B 10.227.0.0/20 [200/0] via 10.10.1.4 (recursive is directly connected, Hub-to-Spokes), 00:12:52, [1/0]

Note:

As shown in the above CLI configuration for IPSec phase1 on Hub, make sure to change the subnet mask 'set ipv4-netmask x.x.x.x' as per requirement. By default, the subnet mask is /32, which means FortiGate will allocate dynamic IPs with mask /32 on spokes.

It might cause connectivity issues as spokes will not inject any BGP route because spokes will not have a valid route for the next hop.