|
ADVPN 2.0 was introduced in FortiGate v7.4.2 onwards. This is an addition to the existing configuration of ADVPN1.0 and is extremely useful for ADVPN with SD-WAN setup.
To convert ADVPN1.0 to ADVPN2.0, refer to: Technical Tip: How ADVPN 2.0 is different from ADVPN 1.0 and Technical Tip: How to configure ADVPN v2.0 on existing ADVPN v1.0 tunnels
With any ADVPN setup, it is recommended to use BGP and this article focuses on BGP on loopback configuration.
The following topology will be used for this article:
Spoke1 config.
BGP configuration:
config router bgp
set as 65400
set router-id 192.167.1.2 >>>>> Loopback IP of Spoke1
set ibgp-multipath enable
set recursive-next-hop enable
set tag-resolve-mode merge
config neighbor
edit "192.167.1.1"
set soft-reconfiguration enable
set interface "LB" <----- Use interface as Loopback.
set remote-as 65400
set update-source "LB" <----- Use Source IP of Loopback.
next
end
IPSec config:
Spoke1 # sh vpn ipsec phase1-int
config vpn ipsec phase1-interface
edit "hub1-Pri"
set interface "port2"
set peertype any
set net-device enable
set exchange-ip-addr4 192.167.1.2 <----- Exchange the Loopback IP.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: hub1-Pri (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 20.0.0.1
set psksecret ENC xxxx
next
edit "hub1-Sec"
set interface "port3"
set peertype any
set net-device enable
set exchange-ip-addr4 192.167.1.2 <----- Exchange the Loopback IP.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: hub1-Sec (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 30.0.0.1
set psksecret ENC xxxx
next
end
Though both tunnels are configured to exchange loopback IP, only 1 tunnel will get loopback IP as the tunnel_id. The second tunnel will get an IP from the 10.0.0.0/8 subnet. This can be checked on the Hub
The secondary IP 30.0.0.5 and 30.0.0.9 have a tunnel ID in 10.0.0.x range.
Hub configuration:
Hub1 # sh router bgp
config router bgp
set as 65400
set router-id 192.167.1.1 <----- Loopback IP of Hub.
config neighbor-group
edit "SpokeLb" <----- There should not be any spaces in the group name.
set remote-as 65400
set route-reflector-client enable <----- next-hop-self and next-hop-self-rr, if enabled it will break ADVPN design.
next
end
config neighbor-range
edit 1
set prefix 192.167.1.0 255.255.255.0 <----- All Spokes will have loopback IP in this range
set neighbor-group 'SpokeLb'.
next
end
config network
edit 1
set prefix 192.168.1.0 255.255.255.0
next
edit 2
set prefix 192.167.1.0 255.255.255.0 <----- The hub will advertise a loopback summary route for Spokes to create shortcuts.
set network-import-check disable <----- This or a blackhole route for loopback summary must be added.
next
end
IPSec configuration:
Hub1 # sh vpn ipsec phase1-int
config vpn ipsec phase1-interface
edit "advpn"
set type dynamic
set interface "port2"
set peertype any
set net-device disable
set exchange-ip-addr4 192.167.1.1 <----- The IP address of Loopback.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: advpn (Created by VPN wizard)"
set wizard-type hub-fortigate-auto-discovery
set auto-discovery-sender enable
set psksecret ENC xxx
next
edit "advpn2"
set type dynamic
set interface "port3"
set peertype any
set net-device disable
set exchange-ip-addr4 192.167.1.1 <----- The IP address of Loopback.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: advpn2 (Created by VPN wizard)"
set wizard-type hub-fortigate-auto-discovery
set auto-discovery-sender enable
set psksecret ENC xxxx
next
end
To ensure that a tunnel with better performance is preferred: Technical Tip: Fortinet SD-WAN Remote SLAs
|
