The topology in this example is ADVPN Hub and Spokes as per the above diagram.
- Port1 is the WAN link for all devices.
- 10.10.1.0/24 is used for the ADVPN topology. Hub will assign 10.10.1.x to spokes.
- BGP is the routing protocol.
- 10.177.0.0/20 is the local network behind the Hub. 10.207.0.0/22 and 10.227.0.0/20 are local networks behind spokes.
To configure Hub:
config vpn ipsec phase1-interface edit "Hub-to-Spokes" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-sender enable set ipv4-start-ip 10.10.1.3 set ipv4-end-ip 10.10.1.254 set ipv4-netmask 255.255.255.0 set psksecret <pre-shared key> end
config vpn ipsec phase2-interface edit "Hub-to-Spokes" set phase1name "Hub-to-Spokes" set proposal aes256-sha256 next end
config system interface edit "Hub-to-Spokes" set vdom "root" set ip 10.10.1.1 255.255.255.255 set type tunnel set remote-ip 10.10.1.2 255.255.255.0 set snmp-index 15 set interface "port1" next end
config router bgp set as 65400 config neighbor-group edit "ADVPN" set advertisement-interval 1 set activate6 disable set link-down-failover enable set remote-as 65400 set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.10.1.0 255.255.255.0 set neighbor-group "ADVPN" next end config network edit 1 set prefix 10.177.0.0 255.255.240.0 next edit 2 set prefix 10.10.1.0 255.255.255.0 next end
end
To configure Spoke1:
config vpn ipsec phase1-interface edit "Spokes-to-Hub" set interface "port1" set ike-version 2 set peertype any set net-device enable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-receiver enable set auto-discovery-shortcuts dependent set remote-gw 10.47.4.65 set psksecret <pre-shared key>
next end
config vpn ipsec phase2-interface edit "Spokes-to-Hub" set phase1name "Spokes-to-Hub" set proposal aes256-sha256 next end
config system interface edit "Spokes-to-Hub" set vdom "root" set allowaccess ping set type tunnel set snmp-index 15 set interface "port1" next end
config router bgp set as 65400 config neighbor edit "10.10.1.1" set activate6 disable set remote-as 65400 next end config network edit 1 set prefix 10.207.0.0 255.255.240.0 next end
end
To configure Spoke2:
config vpn ipsec phase1-interface edit "Spokes-to-Hub" set interface "port1" set ike-version 2 set peertype any set net-device enable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-receiver enable set auto-discovery-shortcuts dependent set remote-gw 10.47.4.65 set psksecret <pre-shared key>
next end
config vpn ipsec phase2-interface:
edit "Spokes-to-Hub" set phase1name "Spokes-to-Hub" set proposal aes256-sha256 next end
config system interface edit "Spokes-to-Hub" set vdom "root" set allowaccess ping set type tunnel set snmp-index 15 set interface "port1" next end
config router bgp set as 65400 config neighbor edit "10.10.1.1"
set activate6 disable set remote-as 65400 next end config network edit 1 set prefix 10.227.0.0 255.255.240.0 next end
end
To verify Hub assigned IP address to spokes:
Use the command 'diagnose vpn ike gateway'. In this example, Hub assigned 10.10.1.3 and 10.10.1.4 to spokes.
FortiGate_Hub # diagnose vpn ike gateway
vd: root/0 name: Hub-to-Spokes_1 version: 2 interface: port1 3 addr: 10.47.4.65:500 -> 10.47.1.243:500 tun_id: 10.10.1.4/::10.0.3.218 remote_location: 0.0.0.0 network-id: 0 transport: UDP virtual-interface-addr: 10.10.1.1 -> 10.10.1.2 created: 2673s ago peer-id: 10.47.1.243 peer-id-auth: no assigned IPv4 address: 10.10.1.4/255.255.255.0 auto-discovery: 1 sender pending-queue: 0 PPK: no IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/2 established 1/2 time 0/0/0 ms
id/spi: 1022 1e416d0d47ecc700/ca1908b355cf43f6 direction: responder status: established 2673-2673s ago = 10ms proposal: aes256-sha256 child: no SK_ei: 7b70a59900a51025-0e99105baf025f7c-abee7183c23a8925-3da0ef12b68a821d SK_er: f9152ad12fc5d2a2-b60b74716c4ed75a-ebcc506485530f8c-50763fa2ea96861e SK_ai: e82e0854762af950-02dcafc18e76a21e-5b4cb2b8cd26855c-a599c9c2f8375e2d SK_ar: fda183abf38f61a8-5e1b50ad86e116fe-8e2f5fa5d4d31c1d-472f2fc02bc84ef9 PPK: no message-id sent/recv: 17/13 QKD: no lifetime/rekey: 86400/83456 DPD sent/recv: 00000016/00000016 peer-id: 10.47.1.243
vd: root/0 name: Hub-to-Spokes_0 version: 2 interface: port1 3 addr: 10.47.4.65:500 -> 10.47.2.143:500 tun_id: 10.10.1.3/::10.0.3.219 remote_location: 0.0.0.0 network-id: 0 transport: UDP virtual-interface-addr: 10.10.1.1 -> 10.10.1.2 created: 2610s ago peer-id: 10.47.2.143 peer-id-auth: no assigned IPv4 address: 10.10.1.3/255.255.255.0 auto-discovery: 1 sender pending-queue: 0 PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/2 established 1/2 time 0/0/0 ms
id/spi: 1023 3d63e2d967952c67/4fbe61adf9f2e003 direction: responder status: established 2610-2610s ago = 0ms proposal: aes256-sha256 child: no SK_ei: 3ea8ed157d7cb2a3-4a49bb650afa93d8-0f5a78d54d45274a-6caac86323b54a02 SK_er: 6f53d68d08e6c8c4-016fe4143060b53e-3930d9ff0a437754-2eec7af432dc5b9e SK_ai: 7e12babd11fb8fda-730f3cf419890822-1847db43de66efaa-3f454a068109a376 SK_ar: efa2b9989ffa35d8-c0404c432c1a9c4f-2b64b3fc904874a0-80a2206ec5f782fd PPK: no message-id sent/recv: 389/25 QKD: no lifetime/rekey: 86400/83519 DPD sent/recv: 00000000/00000000 peer-id: 10.47.2.143
FortiGate_Hub # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default
Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 10.47.15.254, port1, [1/0] C 10.10.1.0/24 is directly connected, Hub-to-Spokes C 10.10.1.1/32 is directly connected, Hub-to-Spokes C 10.47.0.0/20 is directly connected, port1 C 10.177.0.0/20 is directly connected, port2 B 10.207.0.0/20 [200/0] via 10.10.1.3 (recursive is directly connected, Hub-to-Spokes), 00:11:09, [1/0] B 10.227.0.0/20 [200/0] via 10.10.1.4 (recursive is directly connected, Hub-to-Spokes), 00:12:52, [1/0]
Note:
As shown in above CLI configuration for IPSec phase1 on Hub, make sure to change the subnet mask 'set ipv4-netmask x.x.x.x' as per requirement. By default, the subnet mask is /32, which means FortiGate will allocate dynamic IPs with mask /32 on spokes.
It might cause connectivity issues as spokes will not inject any BGP route because spokes will not have a valid route for the next hop.
|