FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Samiksha
Staff
Staff
Description

This article describes how to configure ADVPN setup and what logs are observed for spoke-to-spoke dynamic tunnel negotiation.

Scope

 

Solution

The FortiGate feature ADVPN can be set up to establish direct tunnels negotiated dynamically between two spokes in a hub and spoke architecture.

 

The setup for this example is as follows:

 

Hub --------> Spoke 1, Hub --------> Spoke 2

 

After enabling ADVPN the setup will look like:

Hub --------> Spoke 1, Hub --------> Spoke 2 and Spoke 1 ------> Spoke 2

 

Here is the Step-by-Step guide on how to configure ADVPN:

 

On Hub the configuration will look like.

 

- IPsec phase1-interface and phase2-interface config:

 

# config vpn ipsec phase1-interface

        edit "advpn-hub"

            set type dynamic

            set interface "port4" –--- WAN Port

            set peertype any

            set net-device disable

            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1   aes256-sha1 3des-sha1

            set add-route disable

            set dpd on-idle

            set auto-discovery-sender enable   ----- Enable ADVPN on Hub

            set psksecret password

            set dpd-retryinterval 5

# config vpn ipsec phase2-interface

    edit "advpn-hub"

        set phase1name "advpn-hub"

        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256

 

- IPsec tunnel interface IP address.

 

edit "advpn-hub"

    set vdom "root"

    set ip 10.10.10.254 255.255.255.255

    set type tunnel

    set remote-ip 10.10.10.253 255.255.255.0

    set snmp-index 15

    set interface "port4"

 

- Hub BGP configuration.

 

# config router bgp

    set as 65412

# config neighbor-group

    edit "advpn"

       set link-down-failover enable

       set remote-as 65412

       set route-reflector-client enable ----- Making Hub as BGP RR

   next

# config neighbor-range

    edit 1

        set prefix 10.10.10.0 255.255.255.0

        set neighbor-group "advpn"

    next

# config network

    edit 1

        set prefix 10.100.0.0 255.255.240.0 <----- Hub Lan Subnet.

    next

 

On Spoke 1 the configuration will look like.

 

- IPsec phase1-interface and phase2-interface config:

 

# config vpn ipsec phase1-interface

    edit "spoke1"

        set interface "port5" –--- WAN Port

        set peertype any

        set net-device enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256sha1

        set dpd on-idle

        set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.

        set remote-gw 10.40.51.214

        set psksecret password

        set dpd-retryinterval 5

 

# config vpn ipsec phase2-interface

    edit "spoke1"

        set phase1name "spoke1"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256           aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

 

- IPsec tunnel interface IP address.

 

edit "spoke1"

    set vdom "root"

    set ip 10.10.10.1 255.255.255.255

    set type tunnel

    set remote-ip 10.10.10.254 255.255.255.0 <-–--- Hub Tunnel IP.

    set snmp-index 13

    set interface "port5"

 

- Spoke 1 BGP configuration.

 

# config router bgp

    set as 65412

# config neighbor

    edit "10.10.10.254"

        set advertisement-interval 1

        set link-down-failover enable

        set remote-as 65412

    next

end

# config network

    edit 1

        set prefix 10.103.0.0 255.255.240.0 <----- Spoke 1 Lan Subnet.

    next

 

On Spoke 2 the configuration will look like:

 

- IPsec phase1-interface and phase2-interface config:

 

# config vpn ipsec phase1-interface

    edit "spoke2"

        set interface "port1" <-–--- WAN Port.

        set peertype any

        set net-device enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha

        set dpd on-idle

        set auto-discovery-receiver enable <----- Enable ADVPN on Spoke.

        set remote-gw 10.40.51.214

        set psksecret password

        set dpd-retryinterval 5

 

# config vpn ipsec phase2-interface

    edit "spoke2"

        set phase1name "spoke2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set auto-negotiate enable

 

- IPsec tunnel interface IP address.

 

edit "spoke2"

    set vdom "root"

    set ip 10.10.10.3 255.255.255.255

    set type tunnel

    set remote-ip 10.10.10.254 255.255.255.0 <----- Hub Tunnel IP.

    set snmp-index 13

    set interface "port1"

 

- Spoke 2 BGP configuration.

 

# config router bgp

    set as 65412

# config neighbor

    edit "10.10.10.254"

          set advertisement-interval 1

          set link-down-failover enable

          set remote-as 65412

# config network

    edit 1

        set prefix 10.104.0.0 255.255.240.0 <----- Spoke 2 Lan. Subnet

    next

 

Note.

- When net-device is disabled, all dialup tunnels share an interface on the hub.

- When net-device is enabled, dynamic interfaces are created on the hub for each dialup tunnel.

 

Run diagnose commands to check VPN and BGP status:

 

BGP Table on HUB:

 

Hub # get router info routing-table bgp

Routing table for VRF=0

B       10.103.0.0/20 [200/0] via 10.10.10.1 (recursive via advpn-hub tunnel 10.10.10.1), 2d21h59m

B       10.104.0.0/20 [200/0] via 10.10.10.3 (recursive via advpn-hub tunnel 10.10.10.3), 2d21h59m

 

BGP Table on Spoke1:

 

Spoke1 # get router info routing-table bgp

Routing table for VRF=0

B       10.100.0.0/20 [200/0] via 10.10.10.254, spoke1, 2d22h00m

B       10.104.0.0/20 [200/0] via 10.10.10.3, spoke1, 1d21h58m

 

BGP Table on Spoke2:

 

Spoke2 # get router info routing-table bgp

Routing table for VRF=0

B       10.100.0.0/20 [200/0] via 10.10.10.254, spoke2, 2d22h00m

B       10.103.0.0/20 [200/0] via 10.10.10.1, spoke2, 1d21h59m

 

VPN Table on HUB:

 

Hub # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

 

---Tunnel with Spoke 2

 

name=advpn-hub_0 ver=1 serial=8 10.40.51.214:0->10.40.51.197:0 tun_id=10.10.10.3 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1

 

---Tunnel with Spoke 1.

 

name=advpn-hub_1 ver=1 serial=9 10.40.51.214:0->10.40.51.216:0 tun_id=10.10.10.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1

 

VPN Table on Spoke1:

 

Spoke1 # diagnose vpn tunnel list

 

---Tunnel with Hub.

 

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke1 ver=1 serial=1 10.40.51.216:0->10.40.51.214:0 dst_mtu=1500

 

VPN Table on Spoke2:

 

Spoke2 # diagnose vpn tunnel list

 

---Tunnel with Hub.

 

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke2 ver=1 serial=1 10.40.51.197:0->10.40.51.214:0 dst_mtu=1500

 

After initiating ping traffic from Spoke 1 Lan Subnet to Spoke 2 Lan Subnet it triggers the formation of a shortcut tunnel between them.

 

Below are the ADVPN sequence of events that dictate how the Shortcut Tunnel negotiation takes place between Spoke 1 and Spoke 2:

 

1) Hub sends Shortcut Offer to Spoke 1.

 

ike 0: shortcut advpn-hub_1:10.40.51.216:0 to advpn-hub_0:10.40.51.197:0 for 10.103.3.216->10.104.3.197

ike 0 send shortcut-offer to advpn-hub_1

ike 0:advpn-hub_1:8: enc

ike 0:advpn-hub_1:8: sent IKE msg (SHORTCUT-OFFER): 10.40.51.214:500-10.40.51.216:500, len=220, vrf=0, id=012787d430278d8f/ae21a26df2ad43b7:e4100629 <-------

 

2) Spoke 1 receives Shortcut Offer from the HUB.

 

ike 0:spoke1:9: notify msg received: SHORTCUT-OFFER <--------

ike 0:spoke1: shortcut-offer 10.103.3.216->10.104.3.197 psk 64 ppk 0 ver 1 mode 0, peer-addr 10.40.51.197:500

ike 0 looking up shortcut by addr 10.104.3.197, name spoke1, peer-addr 10.40.51.197:500

 

3) Spoke 1 sends Shortcut Query to the HUB.

 

ike 0:spoke1: send shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ttl 32 nat 0 ver 1 mode 0

ike 0:spoke1:9: sent IKE msg (SHORTCUT-QUERY): 10.40.51.216:500->10.40.51.214:500, len=236, <--------

id=012787d430278d8f/ae21a26df2ad43b7:9f3f828c

 

4) HUB receives Shortcut Query from Spoke 1.

 

ike 0:advpn-hub_1:8: notify msg received: SHORTCUT-QUERY <-------

ike 0:advpn-hub_1: recv shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 32 nat 0 ver 1 mode 0

ike 0:advpn-hub: iif 21 10.103.3.216->10.104.3.197 route lookup oif 21 advpn-hub gwy 10.10.10.3

 

5) HUB forwards Shortcut Query to Spoke 2.

 

ike 0:advpn-hub_0: forward shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 31 ver 1 mode 0, ext-mapping 10.40.51.197:500

ike 0:advpn-hub_0:9: enc

ike 0:advpn-hub_0:9: sent IKE msg (SHORTCUT-QUERY): 10.40.51.214:500->10.40.51.197:500, len=236, vrf=0, <--------

id=e82803871055e57c/4cd9f6960772b271:fe1a6904

 

6) Spoke 2 receives Shortcut Query forwarded by HUB.

 

ike 0:spoke2:12: notify msg received: SHORTCUT-QUERY <--------

ike 0:spoke2: recv shortcut-query 18174035847785826865 44c39945fa7ec251/0000000000000000 10.40.51.216 10.103.3.216->10.104.3.197 psk 64 ppk 0 ttl 31 nat 0 ver 1 mode 0

ike 0:spoke2: iif 19 10.103.3.216->10.104.3.197 route lookup oif 13 root

ike 0:spoke2: shortcut-query received from 10.40.51.197:500, local-nat=no, peer-nat=no

 

6) Spoke 2 sends Shortcut Reply to the HUB.

 

ike 0:spoke2: send shortcut-reply 18174035847785826865  44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0

ike 0:spoke2:12: sent IKE msg (SHORTCUT-REPLY): 10.40.51.197:500->10.40.51.214:500, len=220, <--------id=e82803871055e57c/4cd9f6960772b271:3224b45c

 

7) HUB forwards Shortcut Reply to Spoke 1.

 

ike 0:advpn-hub_0:9: notify msg received: SHORTCUT-REPLY

ike 0:advpn-hub_0: recv shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 0.0.0.0:0

ike 0:advpn-hub_1: forward shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ttl 31 ver 1 mode 0 ext-mapping 10.40.51.197:500

ike 0:advpn-hub_1:8: sent IKE msg (SHORTCUT-REPLY): 10.40.51.214:500->10.40.51.216:500, len=236, vrf=0, <--------

id=012787d430278d8f/ae21a26df2ad43b7:d8bda5c9

 

8) Spoke 1 receives Shortcut Reply from HUB.

 

ike 0:spoke1:9: notify msg received: SHORTCUT-REPLY <--------

ike 0:spoke1: recv shortcut-reply 18174035847785826865 44c39945fa7ec251/43b7cdace2605404 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 10.40.51.197:500

ike 0:spoke1: iif 19 10.104.3.197->10.103.3.216 route lookup oif 13 root

ike 0:spoke1: shortcut-reply received from 10.40.51.197:500, local-nat=no, peer-nat=no

 

9) Spoke 1 then starts the negotiation of a shortcut/direct tunnel with Spoke 2.

 

ike 0:spoke1: created connection: 0xca63f00 7 10.40.51.216->10.40.51.197:500.

ike 0:spoke1: adding new dynamic tunnel for 10.40.51.197:500

ike 0:spoke1_0: added new dynamic tunnel for 10.40.51.197:500

ike 0:spoke1_0: shortcut selector added, new serial 1

ike 0:spoke1_0:10: initiator: main mode is sending 1st message...

    

VPN Table on Spoke1:

 

Spoke1 # diagnose vpn tunnel list

 

---Tunnel with Hub.

 

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke1 ver=1 serial=1 10.40.51.216:0->10.40.51.214:0 dst_mtu=150

 

---Tunnel with Spoke 2.

 

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke1_0 ver=1 serial=1 10.40.51.216:0->10.40.51.197:0 dst_mtu=1500

 

VPN Table on Spoke2:

 

Spoke2 # diagnose vpn tunnel list

 

---Tunnel with Hub.

 

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke2 ver=1 serial=1 10.40.51.197:0->10.40.51.214:0 dst_mtu=1500

 

---Tunnel with Spoke 1.

 

list all ipsec tunnel in vd 0

------------------------------------------------------

name=spoke2_0 ver=1 serial=1 10.40.51.197:0->10.40.51.216:0 dst_mtu=1500

Contributors