Description |
This article describes how to configure ADVPN setup and what logs are observed for spoke-to-spoke dynamic tunnel negotiation. |
Scope |
FortiGate. |
Solution |
The FortiGate feature ADVPN can be set up to establish direct tunnels negotiated dynamically between two spokes in a hub and spoke architecture.
The setup for this example is as follows:
Hub --------> Spoke 1, Hub --------> Spoke 2
After enabling ADVPN, the setup will look like this:
Hub --------> Spoke 1, Hub --------> Spoke 2 and Spoke 1 ------> Spoke 2
The following is the step-by-step guide on how to configure ADVPN:
On the Hub the configuration will look like this:
config vpn ipsec phase1-interface edit "advpn-hub" set type dynamic set interface "port4" <-–--- WAN Port. set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable <----- Enable ADVPN on Hub. set psksecret password set dpd-retryinterval 5 config vpn ipsec phase2-interface edit "advpn-hub" set phase1name "advpn-hub" set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
edit "advpn-hub" set vdom "root" set ip 10.10.10.254 255.255.255.255 set type tunnel set remote-ip 10.10.10.253 255.255.255.0 set snmp-index 15 set interface "port4"
config router bgp set as 65412 config neighbor-group edit "advpn" set link-down-failover enable set remote-as 65412 set route-reflector-client enable <----- Making Hub as BGP RR. next config neighbor-range edit 1 set prefix 10.10.10.0 255.255.255.0 set neighbor-group "advpn" next config network edit 1 set prefix 10.100.0.0 255.255.240.0 <----- Hub LAN Subnet. next
On Spoke 1, the configuration will look like the following.
config vpn ipsec phase1-interface edit "spoke1" set interface "port5" <–--- WAN Port. set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256sha1 set dpd on-idle set auto-discovery-receiver enable <----- Enable ADVPN on Spoke. set remote-gw 10.40.51.214 set psksecret password set dpd-retryinterval 5
config vpn ipsec phase2-interface edit "spoke1" set phase1name "spoke1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable
edit "spoke1" set vdom "root" set ip 10.10.10.1 255.255.255.255 set type tunnel set remote-ip 10.10.10.254 255.255.255.0 <-–--- Hub Tunnel IP. set snmp-index 13 set interface "port5"
config router bgp set as 65412 config neighbor edit "10.10.10.254" set advertisement-interval 1 set link-down-failover enable set remote-as 65412 next end config network edit 1 set prefix 10.103.0.0 255.255.240.0 <----- Spoke 1 Lan Subnet. next
On Spoke 2, the configuration will look like the following:
config vpn ipsec phase1-interface edit "spoke2" set interface "port1" <-–--- WAN Port. set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha set dpd on-idle set auto-discovery-receiver enable <----- Enable ADVPN on Spoke. set remote-gw 10.40.51.214 set psksecret password set dpd-retryinterval 5
config vpn ipsec phase2-interface edit "spoke2" set phase1name "spoke2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable
edit "spoke2" set vdom "root" set ip 10.10.10.3 255.255.255.255 set type tunnel set remote-ip 10.10.10.254 255.255.255.0 <----- Hub Tunnel IP. set snmp-index 13 set interface "port1"
config router bgp set as 65412 config neighbor edit "10.10.10.254" set advertisement-interval 1 set link-down-failover enable set remote-as 65412 config network edit 1 set prefix 10.104.0.0 255.255.240.0 <----- Spoke 2 Lan.Subnet next
Note:
Run diagnose commands to check VPN and BGP status:
BGP Table on HUB:
Hub # get router info routing-table bgp Routing table for VRF=0 B 10.103.0.0/20 [200/0] via 10.10.10.1 (recursive via advpn-hub tunnel 10.10.10.1), 2d21h59m B 10.104.0.0/20 [200/0] via 10.10.10.3 (recursive via advpn-hub tunnel 10.10.10.3), 2d21h59m
BGP Table on Spoke1:
Spoke1 # get router info routing-table bgp Routing table for VRF=0 B 10.100.0.0/20 [200/0] via 10.10.10.254, spoke1, 2d22h00m B 10.104.0.0/20 [200/0] via 10.10.10.3, spoke1, 1d21h58m
BGP Table on Spoke2:
Spoke2 # get router info routing-table bgp Routing table for VRF=0 B 10.100.0.0/20 [200/0] via 10.10.10.254, spoke2, 2d22h00m B 10.103.0.0/20 [200/0] via 10.10.10.1, spoke2, 1d21h59m
VPN Table on HUB:
Hub # diagnose vpn tunnel list list all ipsec tunnel in vd 0
Tunnel with Spoke 2:
name=advpn-hub_0 ver=1 serial=8 10.40.51.214:0->10.40.51.197:0 tun_id=10.10.10.3 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
Tunnel with Spoke 1:
name=advpn-hub_1 ver=1 serial=9 10.40.51.214:0->10.40.51.216:0 tun_id=10.10.10.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
VPN Table on Spoke1:
Spoke1 # diagnose vpn tunnel list
Tunnel with Hub:
list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke1 ver=1 serial=1 10.40.51.216:0->10.40.51.214:0 dst_mtu=1500
VPN Table on Spoke2:
Spoke2 # diagnose vpn tunnel list
Tunnel with Hub.
list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke2 ver=1 serial=1 10.40.51.197:0->10.40.51.214:0 dst_mtu=1500
After initiating ping traffic from Spoke 1 Lan Subnet to Spoke 2 LAN Subnet, it triggers the formation of a shortcut tunnel between them.
Below are the ADVPN sequence of events that dictate how the Shortcut Tunnel negotiation takes place between Spoke 1 and Spoke 2:
ike 0: shortcut advpn-hub_1:10.40.51.216:0 to advpn-hub_0:10.40.51.197:0 for 10.103.3.216->10.104.3.197 ike 0 send shortcut-offer to advpn-hub_1 ike 0:advpn-hub_1:8: enc ike 0:advpn-hub_1:8: sent IKE msg (SHORTCUT-OFFER): 10.40.51.214:500-10.40.51.216:500, len=220, vrf=0, id=012787d430278d8f/ae21a26df2ad43b7:e4100629 <-----
ike 0:spoke1:9: notify msg received: SHORTCUT-OFFER <----- ike 0:spoke1: shortcut-offer 10.103.3.216->10.104.3.197 psk 64 ppk 0 ver 1 mode 0, peer-addr 10.40.51.197:500 ike 0 looking up shortcut by addr 10.104.3.197, name spoke1, peer-addr 10.40.51.197:500
ike 0:spoke1: send shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ttl 32 nat 0 ver 1 mode 0 ike 0:spoke1:9: sent IKE msg (SHORTCUT-QUERY): 10.40.51.216:500->10.40.51.214:500, len=236, <----- id=012787d430278d8f/ae21a26df2ad43b7:9f3f828c
ike 0:advpn-hub_1:8: notify msg received: SHORTCUT-QUERY <----- ike 0:advpn-hub_1: recv shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 32 nat 0 ver 1 mode 0 ike 0:advpn-hub: iif 21 10.103.3.216->10.104.3.197 route lookup oif 21 advpn-hub gwy 10.10.10.3
ike 0:advpn-hub_0: forward shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 31 ver 1 mode 0, ext-mapping 10.40.51.197:500 ike 0:advpn-hub_0:9: enc ike 0:advpn-hub_0:9: sent IKE msg (SHORTCUT-QUERY): 10.40.51.214:500->10.40.51.197:500, len=236, vrf=0, <----- id=e82803871055e57c/4cd9f6960772b271:fe1a6904
ike 0:spoke2:12: notify msg received: SHORTCUT-QUERY <----- ike 0:spoke2: recv shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 31 nat 0 ver 1 mode 0 ike 0:spoke2: iif 19 10.103.3.216->10.104.3.197 route lookup oif 13 root ike 0:spoke2: shortcut-query received from 10.40.51.197:500, local-nat=no, peer-nat=no
ike 0:spoke2: send shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ike 0:spoke2:12: sent IKE msg (SHORTCUT-REPLY): 10.40.51.197:500->10.40.51.214:500, len=220, <-----id=e82803871055e57c/4cd9f6960772b271:3224b45c
ike 0:advpn-hub_0:9: notify msg received: SHORTCUT-REPLY ike 0:advpn-hub_0: recv shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 0.0.0.0:0 ike 0:advpn-hub_1: forward shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ttl 31 ver 1 mode 0 ext-mapping 10.40.51.197:500 ike 0:advpn-hub_1:8: sent IKE msg (SHORTCUT-REPLY): 10.40.51.214:500->10.40.51.216:500, len=236, vrf=0, <----- id=012787d430278d8f/ae21a26df2ad43b7:d8bda5c9
ike 0:spoke1:9: notify msg received: SHORTCUT-REPLY <----- ike 0:spoke1: recv shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 10.40.51.197:500 ike 0:spoke1: iif 19 10.104.3.197->10.103.3.216 route lookup oif 13 root ike 0:spoke1: shortcut-reply received from 10.40.51.197:500, local-nat=no, peer-nat=no
ike 0:spoke1: created connection: 0xca63f00 7 10.40.51.216->10.40.51.197:500. ike 0:spoke1: adding new dynamic tunnel for 10.40.51.197:500 ike 0:spoke1_0: added new dynamic tunnel for 10.40.51.197:500 ike 0:spoke1_0: shortcut selector added, new serial 1 ike 0:spoke1_0:10: initiator: main mode is sending 1st message...
VPN Table on Spoke1:
Spoke1 # diagnose vpn tunnel list
Tunnel with Hub.
list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke1 ver=1 serial=1 10.40.51.216:0->10.40.51.214:0 dst_mtu=150
Tunnel with Spoke 2.
list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke1_0 ver=1 serial=1 10.40.51.216:0->10.40.51.197:0 dst_mtu=1500
VPN Table on Spoke2:
Spoke2 # diagnose vpn tunnel list
Tunnel with Hub.
list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke2 ver=1 serial=1 10.40.51.197:0->10.40.51.214:0 dst_mtu=1500
Tunnel with Spoke 1.
list all ipsec tunnel in vd 0 ------------------------------------------------------ name=spoke2_0 ver=1 serial=1 10.40.51.197:0->10.40.51.216:0 dst_mtu=1500 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.