FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 279299
Description This article explains how FortiOS enables ADVPN Shortcut Tear-down controller by dynamic IPSec Phase2 selector.
Scope FortiGate


In some implementations aimed at PCI DSS compliance, users must have the capability to automatically terminate an IPsec tunnel (both phase 1 and 2) if there is no traffic passing through the tunnel within a specified time interval.

An illustrative use case example at the following link:

Technical Tip: Configuring a client to site (C2S) IPsec tunnel to automatically deactivate after not...


Traditionally, in an ADVPN Hub-Spoke configuration, a BGP neighbor relationship is established between the Hub and the Spoke, rather than directly between Spokes. Routes are exchanged using the route-reflector feature on the Hub.

A practical demonstration of utilizing a route reflector in a typical ADVPN topology is available here:

Technical Tip: ADVPN with BGP as the routing protocol


It is possible to configure a direct BGP neighbor relationship between Spokes through a negotiated shortcut, but this approach comes with an issue. BGP keep-alive messages will prevent the negotiated shortcut IPsec tunnel from expiring and being torn down. This issue also applies to SDWAN Performance SLA ICMP health checks over the negotiated shortcut.



In FortiOS versions prior to 7.4, the solution involved leveraging IKEv2 phase 2 selector narrowing as defined in RFC 5996.

This approach created dynamic selectors for ADVPN shortcuts to segregate control traffic. As a result, data traffic counters were not incremented, enabling the phase 1 idle-timeout to function as intended with ADVPN shortcuts.

IKE generates a dynamic selector for ADVPN shortcuts that matched ICMP health check packets used by SD-WAN.


To address this issue, FortiOS 7.4 extended this selector to encompass all SD-WAN control plane traffic, not limited to ICMP alone. The newly created single selector combines BGP and ICMP health checks. More details about this new feature are available at: Using a single IKE elector in ADVPN to match all SD-WAN control plane traffic


The dynamic selector is labeled as 'health-check,' as shown in the sample output below.


dia vpn tun lis

list all ipsec tunnel in vd 0


name=spoke2_0 ver=2 serial=5> tun_id= tun_id6=:: dst_mtu=1500 dpd-link

=on weight=1

bound_if=3 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66232 options[102b8]=npu create_dev rgwy-chg frag-rf

c  role=primary accept_traffic=1 overlay_id=0


parent=spoke2 index=0

proxyid_num=3 child_num=0 refcnt=7 ilast=0 olast=0 ad=r/2

stat: rxp=1332209 txp=0 rxb=53288360 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=3

natt: mode=none draft=0 interval=0 remote_port=0

fec: egress=0 ingress=0

proxyid=spoke2 proto=0 sa=1 ref=5 serial=2 adr health-check

  src: 0:

  dst: 0:

  SA:  ref=3 options=a2602 type=00 soft=0 mtu=1438 expire=12169/0B replaywin=2048

       seqno=1e8d1 esn=0 replaywin_lastseq=0000049f qat=0 rekey=0 hash_search_len=1

  life: type=01 bytes=0/0 timeout=43185/43200

  dec: spi=101c9f0a esp=aes key=16 93abe33f4946e82ede0bc5434a2a4a06

       ah=sha1 key=20 98e285069f46f42b9770fa9ac1e7218343e033e3

  enc: spi=39fc93d3 esp=aes key=16 38853cfad0ce87b1ea7464baf8b632a5

       ah=sha1 key=20 f1e17796f0a9f3ad34be0ac96fdf0e507fe012aa

  dec:pkts/bytes=1182/72693, enc:pkts/bytes=125136/13042480

  npu_flag=00 npu_rgwy= npu_lgwy= npu_selid=6 dec_npuid=0 enc_npuid=0

proxyid=spoke2 proto=0 sa=0 ref=1 serial=1 adr

  src: 0:

  dst: 0:


The new feature supports both IKEv2 and IKEv1.