Created on 10-24-2023 12:13 AM Edited on 10-24-2023 12:14 AM By Jean-Philippe_P
Description |
This article describes a method for integrating a new ISP link (e.g., Wireless) into the HUB firewall to ensure redundancy when ADVPN is already operational. In scenarios where the HUB is already connected via one ISP, there may be instances where introducing a redundancy connection from another ISP is necessary.
For more details:
|
Scope |
FortiGate. |
Solution |
Consider the current scenario (Single WAN):
The New scenario (Dual WAN):
Given that the current setup is in a production environment, here is the recommended approach to implement redundancy:
Here is the Step-by-Step guide on how to Add New Link for Redundancy into the ADVPN HUB Firewall (Dual WAN):
Configuration on the Hub:
IPsec Phase1-interface and Phase2-interface Configuration:
config vpn ipsec phase1-interface
edit "advpn-hub-backup"
set type dynamic
set interface "port2" <--- New Link ISP2 redundancy.
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable <--- Enable ADVPN on Hub.
set psksecret password
set dpd-retryinterval 5
config vpn ipsec phase2-interface
edit "advpn-hub-backup"
set phase1name "advpn-hub-backup"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:
edit "advpn-hub-backup"
set vdom "root"
set ip 10.11.11.254 255.255.255.255
set type tunnel
set remote-ip 10.11.11.253 255.255.255.0
set snmp-index 15
set interface "port2" <--- New Link ISP2 redundancy.
Hub BGP Configuration:
config router bgp
config neighbor-range
edit 2
set prefix 10.11.11.0 255.255.255.0
set neighbor-group "advpn"
next
Configuration on Spoke 1:
IPsec Phase1-interface and Phase2-interface Configuration:
config vpn ipsec phase1-interface
edit "spoke1-backup"
set interface "port1" <----- Current WAN Port.
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256sha1
set dpd on-idle
set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.
set remote-gw X.X.X.X <----- New ISP2 WAN IP on the Hub's interface.
set psksecret password
set dpd-retryinterval 5
config vpn ipsec phase2-interface
edit "spoke1-backup"
set phase1name "spoke1-backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:
edit "spoke1-backup"
set vdom "root"
set ip 10.11.11.1 255.255.255.255 <-–--- New IP Spoke1 Tunnel.
set type tunnel
set remote-ip 10.11.11.254 255.255.255.0 <-–--- New IP Hub Tunnel.
set interface "port1" <----- Current WAN Port.
Configure the spoke1 FortiGates' firewall policies:
config firewall policy edit 1 set name "outbound_advpn" set srcintf "internal" set dstintf "spoke1" "spoke1-backup" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "inbound_advpn" set srcintf "spoke1" "spoke1-backup" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Spoke 1 BGP Configuration:
config router bgp
config neighbor
edit "10.11.11.254" <----- New IP Hub Tunnel.
set advertisement-interval 1
set link-down-failover enable
set remote-as 65412
next
end
Configuration on Spoke 2:
IPsec Phase1-interface and Phase2-interface Configuration:
config vpn ipsec phase1-interface
edit "spoke2-backup"
set interface "port1" <----- Current WAN Port.
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha
set dpd on-idle
set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.
set remote-gw X.X.X.X <----- New ISP2 WAN IP on the Hub's interface.
set psksecret password
set dpd-retryinterval 5
config vpn ipsec phase2-interface
edit "spoke2-backup"
set phase1name "spoke2-backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
IPsec Tunnel Interface IP Address Configuration for the New IPSec VPN link:
edit "spoke2-backup"
set vdom "root"
set ip 10.11.11.3 255.255.255.255 <-–--- New IP Spoke2 Tunnel.
set type tunnel
set remote-ip 10.11.11.254 255.255.255.0 <-–--- New IP Hub Tunnel.
set interface "port1" <----- Current WAN Port.
Configure the spoke2 FortiGates' firewall policies:
config firewall policy edit 1 set name "outbound_advpn" set srcintf "internal" set dstintf "spoke2" "spoke2-backup" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "inbound_advpn" set srcintf "spoke2" "spoke2-backup" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Spoke 2 BGP Configuration:
config router bgp
config neighbor
edit "10.11.11.254" <----- New IP Hub Tunnel.
set advertisement-interval 1
set link-down-failover enable
set remote-as 65412
next
end
Optional Enhancements: For a more robust BGP functionality, think about integrating BFD (Bidirectional Forwarding Detection) and Link-Monitor. This integration facilitates faster fault detection, resulting in reduced downtime.
Testing: For effective validation:
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.