Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbhavsar
Staff
Staff

Created on ‎06-24-2024 08:02 AM Edited on ‎07-12-2024 05:52 AM By Moderator

Article Id 322163

Technical Tip: Dual WAN spoke to HUB (single WAN on HUB) with BGP Failover

Description This article describes how to create two tunnels from a Spoke FortiGate with two WAN connections to the same HUB, which has one ISP connection with BGP Failover.
Scope FortiGate.
Solution

Set up the following configuration on the spoke and HUB:

 

Tunnel Config on HUB:

 

Phase 1:


config vpn ipsec phase1-interface

    edit "HUB_WAN1"

        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set add-route disable
        set dpd on-idle
        set comments "VPN: HUB_WAN1 (Created by VPN wizard for SD-WAN)"
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 1
        set psksecret ENC WRA1U72+SwNcqeJPiu+WJbXBSUrIYWiItjrBfwpU84JERJkJ5axiFm8v9izoXjDuBW0WHhEgq+0W5eU++unaDYeJnx+F1eb1elK+DKaNhny+iak2PaPHhTwJZYKEN+J4uwV1bvgFlHYRmYH67Bv9/CFbuGG1Pvp1Fgp4/xl0SVCr4yVAiXvq0EXmGJX/uTzg2hjd/A==
        set dpd-retryinterval 60

    next

 

Phase 2:

 

config vpn ipsec phase2-interface

    edit "HUB_WAN1"

        set phase1name "HUB_WAN1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: HUB_WAN1 (Created by VPN wizard for SD-WAN)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"

    next


Tunnel interface:


edit "HUB_WAN1"

    set vdom "root"
    set ip 10.10.10.1 255.255.255.255
    set type tunnel
    set remote-ip 10.10.10.2 255.255.255.0
    set snmp-index 17
    set interface "port2"

next


BGP Config on HUB.

 

config router bgp

    set as 65400

    set network-import-check disable

        config neighbor-group

            edit "ADVPN_SPOKE1"

                set link-down-failover enable
                set remote-as 65400

            next

            edit "ADVPN_SPOKE2"

                set link-down-failover enable
                set remote-as 65400

            next

        end
        config neighbor-range

            edit 1

                set prefix 10.10.10.0 255.255.255.0
                set neighbor-group "ADVPN_SPOKE1"

            next

            edit 2

                set prefix 10.10.20.0 255.255.255.0

                set neighbor-group "ADVPN_SPOKE2"

            next

        end

        config network

            edit 1

                set prefix 192.168.100.0 255.255.255.0

            next

        end

        config network6

            edit 1

                set prefix6 ::/128

            next

        end

        config redistribute "connected"

        end

        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end

end


Spoke Config Tunnel 1.


Phase 1:

 

config vpn ipsec phase1-interface

    edit "ADVPN_SPOKE1"

        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: ADVPN_SPOKE1 (Created by VPN wizard for SD-WAN)"
        set auto-discovery-receiver enable
        set network-overlay enable
        set network-id 1
        set remote-gw 172.16.1.4
        set psksecret ENC k2CoHflUtfBBu5gYp6qkxqgk+0A9RLnlppkWMEvUp2KQoykSbMzDrNWKcmL5pViL6a6pUKA79ERSarC6Xd6YFv33aHzHNN7G9Kpw/HWztmYk6qlSUhvVrrBLO9lsJ1hBcCYEmhhuoEGRxiba0XEcIZYFzRsq5IXQECMK6HTWei8tWzXbvBdG4fwclpoPHW9N5q6cwA==

    next

end

 

Phase 2:

 

config vpn ipsec phase2-interface

    edit "ADVPN_SPOKE1"

        set phase1name "ADVPN_SPOKE1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: ADVPN_SPOKE1 (Created by VPN wizard for SD-WAN)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"

    next

end

 

config system interface

    edit "ADVPN_SPOKE1"

        set vdom "root"
        set ip 10.10.10.4 255.255.255.255
        set status down
        set type tunnel
        set remote-ip 10.10.10.1 255.255.255.0
        set snmp-index 15
        set interface "port2"

    next

end

 

Spoke config Tunnel 2.

 

Phase 1:

 

config vpn ipsec phase1-interface

    edit "ADVPN_SPOKE2"

        set interface "port3"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: ADVPN_SPOKE1 (Created by VPN wizard for SD-WAN)"
        set auto-discovery-receiver enable
        set network-overlay enable

        set monitor "ADVPN_SPOKE1"
        set network-id 1
        set remote-gw 172.16.1.4
        set psksecret ENC ztaIp44pzNwwVv+8U6cbKP/MvPbjKa7ydt5GtT7gD1VGBm9EIxTg4f0T/8Xixb1dzMLfHN8lAMrH+xrXym3nRZffAjsGFdGx+jBp3fuyWCe5EQhjSFX+NgqIOCr1110RgsUAUaMkwbv/nC8AoFDQ9zTuZJgGNg2t5GXe5iXR57cnQs7SVe0G30czSon+8NqJiT+Z2A==

    next

end

 

Phase 2:

 

config vpn ipsec phase2-interface

    edit "ADVPN_SPOKE2"

        set phase1name "ADVPN_SPOKE2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: ADVPN_SPOKE1 (Created by VPN wizard for SD-WAN)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"

    next

end

 

Tunnel Interface:

 

config system interface

    edit "ADVPN_SPOKE2"

        set vdom "root"
        set ip 10.10.10.5 255.255.255.255
        set type tunnel
        set remote-ip 10.10.10.1 255.255.255.0
        set snmp-index 16
        set interface "port3"

    next

end

 

BGP Config on the Spoke side:


config router bgp

    set as 65400

        config neighbor

            edit "10.10.10.1"

                set capability-graceful-restart enable
                set link-down-failover enable
                set soft-reconfiguration enable
                set remote-as 65400

            next

        end
        config network

            edit 1

                set prefix 192.168.200.0 255.255.255.0

            next

        end

        config network6

            edit 1

                set prefix6 ::/128

            next

        end

        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end

end


The HUB will show that neighbor-ship is currently formed with Spoke2:

 

get router info bgp summary
VRF 0 BGP router identifier 172.16.2.4, local AS number 65400
BGP table version is 5
1 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 7 seconds

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 65400 4625 4613 2 0 0 2d01h53m 1
10.10.10.3 4 65400 3459 3455 1 0 0 2d02h06m 1
10.10.10.5 4 65400 3373 3374 4 0 0 2d01h08m 0
10.10.20.2 4 65400 4609 4615 2 0 0 2d01h53m 1
10.10.20.3 4 65400 4606 4590 1 0 0 2d02h05m 1

Total number of neighbors 5


Once the Spoke2 interface is brought down, neighbor-ship will be formed with Spoke1:

 

get router info bgp summary
VRF 0 BGP router identifier 172.16.2.4, local AS number 65400
BGP table version is 6
1 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 46 seconds

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 65400 4631 4619 2 0 0 2d01h59m 1
10.10.10.3 4 65400 3465 3462 1 0 0 2d02h11m 1
10.10.10.4 4 65400 4 6 5 0 0 00:01:14 0
10.10.20.2 4 65400 4615 4622 2 0 0 2d01h59m 1
10.10.20.3 4 65400 4613 4596 1 0 0 2d02h11m 1

Total number of neighbors 5

 

Note: In the above setup there are chances of asymmetric routing when the primary tunnel comes up. So it is recommended to turn on the set monitor on the tunnel phase1-interface settings to avoid that and only one tunnel remains up at a time.

Refer to the following articles to know how to enable set monitor on tunnel: Technical Tip: IPsec VPN: Site-to-Site tunnel monitor and how FortiGate behaves when there is an asymmetric routes: Technical Tip: How the FortiGate behaves when asymmetric routing is enabled.
1609
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.