Description
This article describes the configuration ADVPN with RIP.
Scope
For version 6.4.3.
Solution
This is a sample configuration of ADVPN with RIP as routing protocol. The following options has to be enabled for this configuration:
1) On the hub FortiGate, 'IPsec phase1-interface net-device disable' has to be run.
2) RIP has to be used between the hub and spoke FortiGates.
3) split-horizon-status enable has to be run on the hub FortiGate.
This article describes the configuration ADVPN with RIP.
Scope
For version 6.4.3.
Solution
This is a sample configuration of ADVPN with RIP as routing protocol. The following options has to be enabled for this configuration:
1) On the hub FortiGate, 'IPsec phase1-interface net-device disable' has to be run.
2) RIP has to be used between the hub and spoke FortiGates.
3) split-horizon-status enable has to be run on the hub FortiGate.
Because the GUI can only complete part of the configuration, using the CLI is recommended.
To configure ADVPN with RIP as the routing protocol using the CLI:
1) In the CLI, configure hub FortiGate's WAN, internal interface, and static route.
- Configure the hub FortiGate IPsec phase1-interface and phase2-interface.
- Configure the spoke FortiGates' WAN, internal interfaces, and static routes.
Configure Spoke1.
Configure Spoke1.
Configure Spoke1.
Configure Spoke1.
Configure Spoke1.
- Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
1) In the CLI, configure hub FortiGate's WAN, internal interface, and static route.
# config system interface2) Configure the hub FortiGate.
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set alias "Internal"
set ip 172.16.101.1 255.255.255.0
next
end
# config router static
edit 1
set gateway 22.1.1.2
set device "port9"
next
end
- Configure the hub FortiGate IPsec phase1-interface and phase2-interface.
# config vpn ipsec phase1-interface
edit "advpn-hub"
set type dynamic
set interface "port9"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set tunnel-search nexthop
set psksecret sample
set dpd-retryinterval 5
next
end
# config vpn ipsec phase2-interface- Configure the hub FortiGate firewall policy.
edit "advpn-hub"
set phase1name "advpn-hub"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
next
end
# config firewall policy- Configure the hub FortiGate's IPsec tunnel interface IP address.
edit 1
set name "spoke2hub"
set srcintf "advpn-hub"
set dstintf "port10"
set srcaddr "all"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "spoke2spoke"
set srcintf "advpn-hub"
set dstintf "advpn-hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
# config system interface- Configure the hub FortiGate's RIP.
edit "advpn-hub1"
set ip 10.10.10.254 255.255.255.255
set remote-ip 10.10.10.253 255.255.255.0
next
end
# config router rip3) Configure the spoke FortiGates.
set default-information-originate enable
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 172.16.101.0 255.255.255.0
next
end
# config interface
edit "advpn-hub"
set split-horizon-status disable
next
end
end
- Configure the spoke FortiGates' WAN, internal interfaces, and static routes.
Configure Spoke1.
# config system interfaceConfigure the Spoke2.
edit "wan1"
set alias "primary_WAN"
set ip 15.1.1.2 255.255.255.0
next
edit "wan2"
set alias "secondary_WAN"
set ip 12.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
# config router static
edit 1
set gateway 12.1.1.1
set device "wan2"
set distance 15
next
edit 2
set gateway 15.1.1.1
set device "wan1"
next
end
# config system interface- Configure the spoke FortiGates' IPsec phase1-interface and phase2-interface.
edit "wan1"
set alias "primary_WAN"
set ip 13.1.1.2 255.255.255.0
next
edit "wan2"
set alias "secondary_WAN"
set ip 17.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
# config router static
edit 1
set gateway 17.1.1.1
set device "wan2"
set distance 15
next
edit 2
set gateway 13.1.1.1
set device "wan1"
next
end
Configure Spoke1.
# config vpn ipsec phase1-interface
edit "spoke1"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 22.1.1.1
set psksecret sample
set dpd-retryinterval 5
next
edit "spoke1_backup"
set interface "wan2"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 22.1.1.1
set monitor "spoke1"
set psksecret sample
set dpd-retryinterval 5
next
end
# config vpn ipsec phase2-interfaceConfigure Spoke2.
edit "spoke1"
set phase1name "spoke1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke1_backup"
set phase1name "spoke1_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
# config vpn ipsec phase1-interface- Configure the spoke FortiGates' firewall policies.
edit "spoke2"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 22.1.1.1
set psksecret sample
set dpd-retryinterval 5
next
edit "spoke2_backup"
set interface "wan2"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 22.1.1.1
set monitor "spoke2"
set psksecret sample
set dpd-retryinterval 5
next
end
# config vpn ipsec phase2-interface
edit "spoke2"
set phase1name "spoke2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke2_backup"
set phase1name "spoke2_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
Configure Spoke1.
# config firewall policyConfigure Spoke2.
edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "spoke1" "spoke1_backup"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound_advpn"
set srcintf "spoke1" "spoke1_backup"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
# config firewall policy- Configure the spoke FortiGates' tunnel interface IP addresses.
edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "spoke2" "spoke2_backup"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound_advpn"
set srcintf "spoke2" "spoke2_backup"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Configure Spoke1.
# config system interfaceConfigure Spoke2.
edit "spoke1"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
edit "spoke1_backup"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end
# config system interface- Configure the spoke FortiGates' RIP.
edit "spoke2"
set ip 10.10.10.3 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
edit "spoke2_backup"
set ip 10.10.10.4 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end
Configure Spoke1.
# config router ripConfigure Spoke2.
# config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 10.1.100.0 255.255.255.0
next
end
end
# config router rip4) Run diagnose and get commands on Spoke1.
# config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 192.168.4.0 255.255.255.0
next
end
end
- Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0- Run the get router info rip database command on Spoke1. The system should return the following:
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=1 refcnt=17 ilast=2 olast=2 ad=r/2
stat: rxp=1 txp=87 rxb=200 txb=6208
dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=1040
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=7 options=1a227 type=00 soft=0 mtu=1438 expire=1793/0B replaywin=1024
seqno=57 esn=0 replaywin_lastseq=00000002 itn=0
life: type=01 bytes=0/0 timeout=2370/2400
dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14
ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f
enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d
ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267
dec:pkts/bytes=1/132, enc:pkts/bytes=86/11696
npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
----
name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,- Run the get router info routing-table rip command on Spoke1. The system should return the following:
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
Rc 10.1.100.0/24 1. internal
Rc 10.10.10.2/32 1. spoke1
R 172.16.101.0/24 10.10.10.254 1. 10.10.10.254 spoke1 02:28
R 192.168.4.0/24 10.10.10.254 1. 10.10.10.254 spoke1 02:44
Routing table for VRF=0- Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
R 172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:08:38
R 192.168.4.0/24 [120/3] via 10.10.10.254, spoke1, 00:08:38
list all ipsec tunnel in vd 0- Run the get router info routing-tale rip command. The system should return the following:
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=3 ad=r/2
stat: rxp=1 txp=78 rxb=200 txb=5546
dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=1039
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=7 options=1a227 type=00 soft=0 mtu=1438 expire=1807/0B replaywin=1024
seqno=4e esn=0 replaywin_lastseq=00000002 itn=0
life: type=01 bytes=0/0 timeout=2370/2400
dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14
ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f
enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d
ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267
dec:pkts/bytes=1/132, enc:pkts/bytes=77/10456
npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
----
name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=11 ilast=20 olast=20 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
----
name=spoke1_0 ver=1 serial=a 15.1.1.2:4500->13.1.1.2:4500
bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1
parent=spoke1 index=0
proxyid_num=1 child_num=0 refcnt=20 ilast=2 olast=0 ad=r/2
stat: rxp=1 txp=7 rxb=112 txb=480
dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=spoke1 proto=0 sa=1 ref=8 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=2358/0B replaywin=1024
seqno=8 esn=0 replaywin_lastseq=00000002 itn=0
life: type=01 bytes=0/0 timeout=2367/2400
dec: spi=c53a8f61 esp=aes key=16 c66aa7ae9657068108ed47c048ff56b6
ah=sha1 key=20 60661c68e20bbc913c2564ade85e01ea3769e703
enc: spi=79cb0f30 esp=aes key=16 bf6c898c2e1c64baaa679ed5d79c3b58
ah=sha1 key=20 146ca78be6c34eedb9cd66cc328216e08682ecb1
dec:pkts/bytes=1/46, enc:pkts/bytes=7/992
npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=6 dec_npuid=1 enc_npuid=1
Routing table for VRF=0
R 172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:09:04
R 192.168.4.0/24 [120/2] via 10.10.10.3, spoke1_0, 00:00:02
