Technical Tip: Adding New Link for Redundancy into the ADVPN HUB Firewall (Dual WAN)

wcruvinel · ‎10-24-2023

Description

This article describes a method for integrating a new ISP link (e.g., Wireless) into the HUB firewall to ensure redundancy when ADVPN is already operational. In scenarios where the HUB is already connected via one ISP, there may be instances where introducing a redundancy connection from another ISP is necessary.

For more details:

Check out this article about setting up ADVPN: Technical Tip: Configuring ADVPN and Analyzing Logs. It talks about using just one ISP.
If unsure about how to set up ADVPN, here is a Helpful Guide.

Scope

FortiGate.

Solution

Consider the current scenario (Single WAN):

The New scenario (Dual WAN):

Given that the current setup is in a production environment, here is the recommended approach to implement redundancy:

Prioritize Principal Connection: Maintain the principal connection as the primary default route. This should have a lower metric in comparison to the secondary to ensure it remains the preferred route.
Set Up New IPSec VPNs: Establish new IPSec VPNs, consisting of both Phase 1 and Phase 2, between the HUB and the SPOKES, using the New IP configured in the New Interface Tunnel.
New Rule Creation: Since a new IPSec VPN will be deployed, it is necessary to establish rules to allow flow between the HUB and the SPOKES.
Initiate New BGP Peering Session: Begin a New BGP peering session between the HUB and SPOKES. For this, set the new IPs derived from the tunnel interface as peers.
Implement Link Health Monitors: It is advantageous to deploy link health monitors, which will actively assess the status of both the primary and secondary connections. Such monitors play a pivotal role in ensuring swift failover.
Modify Routing Preferences: Make necessary adjustments to the routing preferences. The goal should be to prioritize prefixes that are learned or advertised via the principal connection over those from the secondary link.

Here is the Step-by-Step guide on how to Add New Link for Redundancy into the ADVPN HUB Firewall (Dual WAN):

Configuration on the Hub:

IPsec Phase1-interface and Phase2-interface Configuration:

config vpn ipsec phase1-interface

edit "advpn-hub-backup"

set type dynamic

set interface "port2" <--- New Link ISP2 redundancy.

set peertype any

set net-device disable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1

set add-route disable

set dpd on-idle

set auto-discovery-sender enable <--- Enable ADVPN on Hub.

set psksecret password

set dpd-retryinterval 5

config vpn ipsec phase2-interface

edit "advpn-hub-backup"

set phase1name "advpn-hub-backup"

set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256

IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:

edit "advpn-hub-backup"

set vdom "root"

set ip 10.11.11.254 255.255.255.255

set type tunnel

set remote-ip 10.11.11.253 255.255.255.0

set snmp-index 15

set interface "port2" <--- New Link ISP2 redundancy.

Hub BGP Configuration:

config router bgp

config neighbor-range

edit 2

set prefix 10.11.11.0 255.255.255.0

set neighbor-group "advpn"

IPsec Phase1-interface and Phase2-interface Configuration:

config vpn ipsec phase1-interface

edit "spoke1-backup"

set interface "port1" <----- Current WAN Port.

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256sha1

set dpd on-idle

set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.

set remote-gw X.X.X.X <----- New ISP2 WAN IP on the Hub's interface.

set psksecret password

set dpd-retryinterval 5

config vpn ipsec phase2-interface

edit "spoke1-backup"

set phase1name "spoke1-backup"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:

edit "spoke1-backup"

set vdom "root"

set ip 10.11.11.1 255.255.255.255 <-–--- New IP Spoke1 Tunnel.

set type tunnel

set remote-ip 10.11.11.254 255.255.255.0 <-–--- New IP Hub Tunnel.

set interface "port1" <----- Current WAN Port.

Configure the spoke1 FortiGates' firewall policies:

config firewall policy

edit 1

set name "outbound_advpn"

set srcintf "internal"

set dstintf "spoke1" "spoke1-backup"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set name "inbound_advpn"

set srcintf "spoke1" "spoke1-backup"

set dstintf "internal"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

Spoke 1 BGP Configuration:

config router bgp

config neighbor

edit "10.11.11.254" <----- New IP Hub Tunnel.

set advertisement-interval 1

set link-down-failover enable

set remote-as 65412

Configuration on Spoke 2:

IPsec Phase1-interface and Phase2-interface Configuration:

config vpn ipsec phase1-interface

edit "spoke2-backup"

set interface "port1" <----- Current WAN Port.

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha

set dpd on-idle

set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.

set remote-gw X.X.X.X <----- New ISP2 WAN IP on the Hub's interface.

set psksecret password

set dpd-retryinterval 5

config vpn ipsec phase2-interface

edit "spoke2-backup"

set phase1name "spoke2-backup"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:

edit "spoke2-backup"

set vdom "root"

set ip 10.11.11.3 255.255.255.255 <-–--- New IP Spoke2 Tunnel.

set type tunnel

set remote-ip 10.11.11.254 255.255.255.0 <-–--- New IP Hub Tunnel.

set interface "port1" <----- Current WAN Port.

Configure the spoke2 FortiGates' firewall policies:

config firewall policy

edit 1

set name "outbound_advpn"

set srcintf "internal"

set dstintf "spoke2" "spoke2-backup"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set name "inbound_advpn"

set srcintf "spoke2" "spoke2-backup"

set dstintf "internal"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

Spoke 2 BGP Configuration:

config router bgp

config neighbor

edit "10.11.11.254" <----- New IP Hub Tunnel.

set advertisement-interval 1

set link-down-failover enable

set remote-as 65412

Optional Enhancements:

For a more robust BGP functionality, think about integrating BFD (Bidirectional Forwarding Detection) and Link-Monitor.

This integration facilitates faster fault detection, resulting in reduced downtime.

Testing:

For effective validation:

Continuously observe the BGP routes on both the HUB and SPOKE. The primary connection should always be the primary route.
For testing, disable the primary connection and assess the failover efficacy of the secondary link.
After confirming satisfactory performance, reactivate the primary interface. Following this, both the BGP and the ADVPN tunnel should give precedence to the primary connection.

Related document:

ADVPN with BGP as the routing protocol