FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff
Article Id 280508
Description

This article describes a method for integrating a new ISP link (e.g., Wireless) into the HUB firewall to ensure redundancy when ADVPN is already operational. In scenarios where the HUB is already connected via one ISP, there may be instances where introducing a redundancy connection from another ISP is necessary.

 

For more details:

Scope

FortiGate.

Solution

Consider the current scenario (Single WAN):

single-wan.PNG

 

 The New scenario (Dual WAN):

dual-wan.PNG

 

Given that the current setup is in a production environment, here is the recommended approach to implement redundancy:

 

  1. Prioritize Principal Connection: Maintain the principal connection as the primary default route. This should have a lower metric in comparison to the secondary to ensure it remains the preferred route.
  2. Set Up New IPSec VPNs: Establish new IPSec VPNs, consisting of both Phase 1 and Phase 2, between the HUB and the SPOKES, using the New IP configured in the New Interface Tunnel. 
  3. New Rule Creation: Since a new IPSec VPN will be deployed, it is necessary to establish rules to allow flow between the HUB and the SPOKES.
  4. Initiate New BGP Peering Session: Begin a New BGP peering session between the HUB and SPOKES. For this, set the new IPs derived from the tunnel interface as peers.
  5. Implement Link Health Monitors: It is advantageous to deploy link health monitors, which will actively assess the status of both the primary and secondary connections. Such monitors play a pivotal role in ensuring swift failover.
  6. Modify Routing Preferences: Make necessary adjustments to the routing preferences. The goal should be to prioritize prefixes that are learned or advertised via the principal connection over those from the secondary link.

 

Here is the Step-by-Step guide on how to Add New Link for Redundancy into the ADVPN HUB Firewall (Dual WAN):
 
Configuration on the Hub:
IPsec Phase1-interface and Phase2-interface Configuration:
 
config vpn ipsec phase1-interface
    edit "advpn-hub-backup"
           set type dynamic
           set interface "port2"  <--- New Link ISP2 redundancy.
           set peertype any
           set net-device disable
           set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1  aes256-sha1 3des-sha1
           set add-route disable
           set dpd on-idle
           set auto-discovery-sender enable  <--- Enable ADVPN on Hub.
           set psksecret password
           set dpd-retryinterval 5
 
config vpn ipsec phase2-interface
    edit "advpn-hub-backup"
        set phase1name "advpn-hub-backup"
        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
 
IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:
edit "advpn-hub-backup"
    set vdom "root"
    set ip 10.11.11.254 255.255.255.255 
    set type tunnel
    set remote-ip 10.11.11.253 255.255.255.0
    set snmp-index 15
    set interface "port2" <--- New Link ISP2 redundancy.
 
Hub BGP Configuration:
config router bgp
    config neighbor-range
        edit 2
            set prefix 10.11.11.0 255.255.255.0
            set neighbor-group "advpn"
        next
 
Configuration on Spoke 1:
IPsec Phase1-interface and Phase2-interface Configuration:
 
config vpn ipsec phase1-interface
    edit "spoke1-backup" 
        set interface "port1" <----- Current WAN Port.
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256sha1
        set dpd on-idle
        set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.
        set remote-gw X.X.X.X <----- New ISP2 WAN IP on the Hub's interface.
        set psksecret password
        set dpd-retryinterval 5
 
config vpn ipsec phase2-interface
    edit "spoke1-backup" 
        set phase1name "spoke1-backup" 
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
 
IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:
 
edit "spoke1-backup" 
    set vdom "root"
    set ip 10.11.11.1 255.255.255.255 <-–--- New IP Spoke1 Tunnel. 
    set type tunnel
    set remote-ip 10.11.11.254 255.255.255.0 <-–--- New IP Hub Tunnel.
    set interface "port1" <----- Current WAN Port.
 

Configure the spoke1 FortiGates' firewall policies:

 

config firewall policy

    edit 1

        set name "outbound_advpn"

        set srcintf "internal"

        set dstintf "spoke1" "spoke1-backup"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 2

        set name "inbound_advpn"

        set srcintf "spoke1" "spoke1-backup"

        set dstintf "internal"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

 

Spoke 1 BGP Configuration:
 
config router bgp
    config neighbor
        edit "10.11.11.254" <----- New IP Hub Tunnel.
            set advertisement-interval 1
            set link-down-failover enable
            set remote-as 65412
        next
end
 
Configuration on Spoke 2:
IPsec Phase1-interface and Phase2-interface Configuration:
 
config vpn ipsec phase1-interface
    edit "spoke2-backup"
        set interface "port1" <----- Current WAN Port.
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha
        set dpd on-idle
        set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.
        set remote-gw X.X.X.X <----- New ISP2 WAN IP on the Hub's interface.
        set psksecret password
        set dpd-retryinterval 5
 
config vpn ipsec phase2-interface
    edit "spoke2-backup"
        set phase1name "spoke2-backup"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
 
IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:
 
edit "spoke2-backup"
    set vdom "root"
    set ip 10.11.11.3 255.255.255.255 <-–--- New IP Spoke2 Tunnel. 
    set type tunnel
    set remote-ip 10.11.11.254 255.255.255.0 <-–--- New IP Hub Tunnel.
    set interface "port1" <----- Current WAN Port.
 

Configure the spoke2 FortiGates' firewall policies:

 

config firewall policy

    edit 1

        set name "outbound_advpn"

        set srcintf "internal"

        set dstintf "spoke2" "spoke2-backup"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 2

        set name "inbound_advpn"

        set srcintf "spoke2" "spoke2-backup"

        set dstintf "internal"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

 

Spoke 2 BGP Configuration:
 
config router bgp
    config neighbor
        edit "10.11.11.254" <----- New IP Hub Tunnel.
            set advertisement-interval 1
            set link-down-failover enable
            set remote-as 65412
     next
end
 

Optional Enhancements:

For a more robust BGP functionality, think about integrating BFD (Bidirectional Forwarding Detection) and Link-Monitor.

This integration facilitates faster fault detection, resulting in reduced downtime.

 

Testing:

For effective validation:

  • Continuously observe the BGP routes on both the HUB and SPOKE. The primary connection should always be the primary route.
  • For testing, disable the primary connection and assess the failover efficacy of the secondary link.
  • After confirming satisfactory performance, reactivate the primary interface. Following this, both the BGP and the ADVPN tunnel should give precedence to the primary connection.

Related document:

ADVPN with BGP as the routing protocol