|
ADVPN 2.0 was introduced in FortiGate v7.4.2 onwards. This is an addition to the existing configuration of ADVPN1.0 and is extremely useful for ADVPN with SD-WAN setup.
To convert ADVPN1.0 to ADVPN2.0, refer to: Technical Tip: How ADVPN 2.0 is different from ADVPN 1.0 and Technical Tip: How to configure ADVPN v2.0 on existing ADVPN v1.0 tunnels
With any ADVPN setup, it is recommended to use BGP and this article focuses on BGP on loopback configuration.
The following topology will be used for this article:
Spoke1 configuration
BGP configuration:
config router bgp
set as 65400
set router-id 192.167.1.2 <--- Loopback IP of Spoke1
set ibgp-multipath enable
set recursive-next-hop enable
set tag-resolve-mode merge
config neighbor
edit "192.167.1.1"
set soft-reconfiguration enable
set interface "LB" <----- Use interface as Loopback.
set remote-as 65400
set update-source "LB" <----- Use Source IP of Loopback.
next
end
IPSec config:
show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "hub1-Pri"
set interface "port2"
set peertype any
set net-device enable
set exchange-ip-addr4 192.167.1.2 <----- Exchange the Loopback IP.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: hub1-Pri (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 20.0.0.1
set psksecret ENC xxxx
next
edit "hub1-Sec"
set interface "port3"
set peertype any
set net-device enable
set exchange-ip-addr4 192.167.1.2 <----- Exchange the Loopback IP.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: hub1-Sec (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 30.0.0.1
set psksecret ENC xxxx
next
end
Though both tunnels are configured to exchange loopback IP, only 1 tunnel will get the loopback IP as the tunnel_id. The second tunnel will get an IP from the 10.0.0.0/8 subnet. This can be checked on the Hub
The secondary IP addresses 30.0.0.5 and 30.0.0.9 have a tunnel ID in 10.0.0.x range.
Hub configuration:
show router bgp
config router bgp
set as 65400
set router-id 192.167.1.1 <----- Loopback IP of Hub.
config neighbor-group
edit "SpokeLb" <----- There should not be any spaces in the group name.
set remote-as 65400
set route-reflector-client enable <----- next-hop-self and next-hop-self-rr, if enabled, it will break ADVPN design.
next
end
config neighbor-range
edit 1
set prefix 192.167.1.0 255.255.255.0 <----- All Spokes will have loopback IP in this range
set neighbor-group 'SpokeLb'.
next
end
config network
edit 1
set prefix 192.168.1.0 255.255.255.0
next
edit 2
set prefix 192.167.1.0 255.255.255.0 <----- The hub will advertise a loopback summary route for Spokes to create shortcuts.
set network-import-check disable <----- This or a blackhole route for loopback summary must be added.
next
end
IPSec configuration:
show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "advpn"
set type dynamic
set interface "port2"
set peertype any
set net-device disable
set exchange-ip-addr4 192.167.1.1 <----- The IP address of Loopback.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: advpn (Created by VPN wizard)"
set wizard-type hub-fortigate-auto-discovery
set auto-discovery-sender enable
set psksecret ENC xxx
next
edit "advpn2"
set type dynamic
set interface "port3"
set peertype any
set net-device disable
set exchange-ip-addr4 192.167.1.1 <----- The IP address of Loopback.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set comments "VPN: advpn2 (Created by VPN wizard)"
set wizard-type hub-fortigate-auto-discovery
set auto-discovery-sender enable
set psksecret ENC xxxx
next
end
In cases where there are 2 Hubs (main and backup) and redundancy between them, it is important to consider the multiple 'best paths' that can be established and depending on the hash. Some traffic flows are routed through the alternate hub.
This only happens if some intermediate device (Backup Hub) is forwarding it back (hairpin/routing loop), or if there is asymmetry/ECMP causing the return path to 'bounce' through the wrong hub.
To resolve the routing issue in the Hub and Spoke SD-WAN network:
- Verify the BGP configuration on the Hub and Spoke devices to ensure that the routes are being advertised correctly.
- Check the routing table on the Hub device to ensure that the route to the Spoke's loopback interface is present and is being learned via BGP.
- Verify that the Spoke device is configured to advertise its loopback interface via BGP.
- Check for any routing loops or asymmetry in the network that may be causing the issue.
- If using multipath routing, try disabling it temporarily to see if it resolves the issue.
config router bgp
set ibgp-multipath disable
set ebgp-multipath disable
end
- Assign a high local preference to the routes learned directly from the Spoke device to ensure that the Hub device prefers these routes over the ones learned via the inter-Hub link:
- High local preference to routes learned directly from spokes.
- Low local preference to routes learned from the inter-hub neighbor.
To ensure that a tunnel with better performance is preferred, see Technical Tip: Fortinet SD-WAN Remote SLAs.
|
