Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff

Created on ‎07-25-2025 01:24 AM Edited on ‎07-28-2025 04:01 AM By Staff

Article Id 401309

Technical Tip: Disable shortcut creation between spokes in ADVPN

Description

 

This article describes the ADVPN (Auto-Discovery VPN) feature in FortiGate, which enhances traditional hub-and-spoke VPN topologies. It allows spokes to dynamically build direct tunnels ('shortcuts') to other spokes based on demand, bypassing the hub to optimize performance and reduce latency. This feature is enabled by "auto-discovery" command under phase1 in both HUB and Spokes.

However, in some scenarios, particularly where traffic inspection, central logging, or strict routing control is required, shortcut creation between spokes may be undesirable.

 

This article explains:

  • What ADVPN is and how it works.

  • How to prevent shortcut tunnels from forming between spokes.

  • Key configuration requirements when disabling shortcut support.

 

Scope

 

FortiGate.

 

Solution

 

Fortinet ADVPN is a proprietary solution solely based on IKE and IPsec.

 

The Hub is responsible for triggering the shortcut OFFER and for relaying the shortcut QUERY/REPLY messages between the Spokes.

 

It is incompatible with Cisco Dynamic Multipoint VPN (DMVPN) solution which relies on GRE Multipoint (mGRE) over IPsec and Next Hop Resolution Protocol (NHRP).

 

See the Fortinet ADVPN community article for more information.

 

During a maintenance window, on HUB, perform this change:

 

config vpn ipsec phase1-interface
  edit <vpn-name>
    set auto-discovery-sender disable
  next
end

 

On Spoke:

 

config vpn ipsec phase1-interface
  edit <vpn-name>
    set auto-discovery-receiver disable
  next
end

 

RG1.jpg

 

After disabling shortcuts (auto-discovery), reply traffic from the hub to spokes will no longer match any dynamic shortcut SA. For correct traffic forwarding, Enable net-device on the hub:

 

config vpn ipsec phase1-interface
  edit <vpn-name>
    set net-device enable
  next
end

 

This ensures that the hub maintains correct kernel routing for traffic destined to spokes, even when shortcuts are disabled.

 

If net-device is not enabled on the hub, the hub does not treat each IPsec tunnel interface as a routable point-to-point interface. As a result:

  1. Routing decisions default to using the parent (primary static) tunnel for that spoke, rather than the dynamic tunnel.
  2. The dynamic tunnel exists, but it's not routable at the kernel level because the system doesn't assign it a proper net-device (routable interface).
  3. Even if traffic matches the correct phase2-selector, it may be routed incorrectly ( via the parent tunnel) or just dropped

 

A firewall policy on the HUB between tunnel1 to tunnel1 ensures Spoke to Spoke traffic is allowed to flow through the hub.

 

When the IP addresses is added to the tunnel interfaces (for example, set ip 1.1.1.1/32 on HUB, 1.1.1.2/32 on spoke) and set net-device enable, this means:

  • FortiGate creates individual tunnel interfaces to each spoke
  • Those interfaces now have valid IPs assigned
  • exchange-interface-ip enable ensures those IPs are advertised and known by both sides
  • BGP should use update-source HUB/spoke tunnel interfaces, and these sources are now valid IPs with active tunnel interfaces, allowing the TCP BGP session to establish

In addition to exchange-interface-ip, update-source under BGP config is also needed. This setting in BGP tells the router which local interface/IP address to use as the source when establishing the BGP TCP session with a peer.

 

Configuration example on HUB:

 

config system interface

  edit "HUB"
    set vdom "root"
    set ip 1.1.1.1 255.255.255.255
    set allowaccess ping
    set type tunnel
    set remote-ip 1.1.1.254 255.255.255.0
    set interface "port17"

end

 

config vpn ipsec phase1-interface
  edit "HUB"
    set type dynamic
    set interface "port17"
    set peertype any
    set net-device enable
    set exchange-interface-ip enable
    set proposal aes256-sha256
    set dpd on-idle
    set dhgrp 20
    set psksecret ENC
end

 

config router bgp
  set as 65400
  set router-id 1.1.1.1
  set ibgp-multipath enable
  config neighbor
    edit "1.1.1.2"
      set advertisement-interval 1
      set link-down-failover enable
      set remote-as 65400
      set update-source "HUB"
      set route-reflector-client enable
  next
    edit "1.1.1.3"
      set advertisement-interval 1
      set link-down-failover enable
      set remote-as 65400
      set update-source "HUB"
      set route-reflector-client enable
    next
end

 

Configuration on Spoke:

 

config system interface

  edit "spoke"
    set vdom "root"
    set ip 1.1.1.2 255.255.255.255
    set allowaccess ping
    set type tunnel
    set remote-ip 1.1.1.1 255.255.255.0
    set interface "port2"
end


config vpn ipsec phase1-interface

  edit "spoke"
    set interface "port2"
    set peertype any
    set net-device enable
    set exchange-interface-ip enable
    set proposal aes256-sha256
    set dpd on-idle
    set dhgrp 20
    set remote-gw 10.5.128.165
    set psksecret ENC

end


config router bgp
  set as 65400
  set router-id 1.1.1.2
  set ibgp-multipath enable
  set recursive-next-hop enable
  config neighbor
    edit "1.1.1.1"
      set remote-as 65400
      set update-source "spoke"
    next
end

 

Related documents:

Redundant hub and spoke VPN

Redundant hub and spoke VPN

658
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.