Description
This article describe how to configure and verify of Auto Discovery VPN (ADVPN) with RIPv2.
Scope
FortiGate.
Solution
- Fortinet Auto Discovery VPN (ADVPN) allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture.
- After a shortcut tunnel is established between two spokes and routing has converged, spoke to spoke traffic no longer needs to flow through the Hub. Direct connectivity is provided.
- ADVPN requires the use of dynamic routing in order to function and supports both BGP and RIPv2. This recipe will focus on using RIP v2 and its route-reflector mechanism as the dynamic routing solution to use with ADVPN.
- ADVPN’s primary advantages is that it provides the full meshing capabilities to a standard hub and spoke topology, greatly reducing the provisioning effort required for full spoke to spoke low delay reachability and addressing the scalability issues associated with very large fully meshed VPN networks.
Diagram:
Configuration:
HUB:
ADVPN Tunnel Configuration:
HUB:
ADVPN Tunnel Configuration:
config vpn ipsec phase1-interface
edit "ADVPN"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha1
set add-route disable
set dpd on-idle
set dhgrp 2
set auto-discovery-sender enable
set tunnel-search nexthop
set psksecret ENC
set dpd-retryinterval 60
next
config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal aes128-sha1
next
end
edit "ADVPN"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha1
set add-route disable
set dpd on-idle
set dhgrp 2
set auto-discovery-sender enable
set tunnel-search nexthop
set psksecret ENC
set dpd-retryinterval 60
next
config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal aes128-sha1
next
end
RIPv2:
config router rip
config network
edit 1
set prefix 1.1.1.10 255.255.255.255
next
edit 2
set prefix 10.10.10.0 255.255.255.0
next
end
config interface
edit "ADVPN"
set receive-version 2
set send-version 2
set send-version2-broadcast enable
next
end
end
edit 1
set prefix 1.1.1.10 255.255.255.255
next
edit 2
set prefix 10.10.10.0 255.255.255.0
next
end
config interface
edit "ADVPN"
set receive-version 2
set send-version 2
set send-version2-broadcast enable
next
end
end
Interface Configuration:
config system interface
edit "ADVPN"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.0 255.255.0.0
set snmp-index 14
set interface "port1"
next
end
Policy:
config firewall policy
edit 5
set name "ADVPNtoADVPN"
set uuid bf723e6e-19ae-51e9-fde9-2764c6d2fa15
set srcintf "ADVPN"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
edit 4
set name "IN ADVPN"
set uuid aab442e2-19ae-51e9-1fe2-c16613fe003d
set srcintf "ADVPN"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
config firewall policy
edit 3
set name "OUT ADVPN"
set uuid 8dfd6d0e-19ae-51e9-ac74-d86a9af57fa0
set srcintf "port4"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
config firewall policy
edit 5
set name "ADVPNtoADVPN"
set uuid bf723e6e-19ae-51e9-fde9-2764c6d2fa15
set srcintf "ADVPN"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
edit 4
set name "IN ADVPN"
set uuid aab442e2-19ae-51e9-1fe2-c16613fe003d
set srcintf "ADVPN"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
config firewall policy
edit 3
set name "OUT ADVPN"
set uuid 8dfd6d0e-19ae-51e9-ac74-d86a9af57fa0
set srcintf "port4"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
Spoke1: (Same configuration needs to be done over the spoke2 as well).
Tunnel configuration:
Tunnel configuration:
config vpn ipsec phase1-interface
edit "ADVPN"
set interface "port1"
set peertype any
set proposal aes128-sha1
set net-device enable
set add-route disable
set dhgrp 2
set auto-discovery-receiver enable
set remote-gw 10.5.27.173
set psksecret ENC
end
config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal aes128-sha1
set auto-negotiate enable
end
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal aes128-sha1
set auto-negotiate enable
end
RIPv2 configuration:
config router rip
config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 10.10.10.2 255.255.255.255
next
end
config interface
edit "ADVPN"
set receive-version 2
set send-version 2
next
end
end
config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 10.10.10.2 255.255.255.255
next
end
config interface
edit "ADVPN"
set receive-version 2
set send-version 2
next
end
end
Interface Configuration:
config system interface
edit "ADVPN"
set vdom "root"
set ip 10.10.10.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.1 255.255.255.255
set snmp-index 14
set interface "port1"
next
end
edit "ADVPN"
set vdom "root"
set ip 10.10.10.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.1 255.255.255.255
set snmp-index 14
set interface "port1"
next
end
Policy:
config firewall policy
edit 5
set name "IN ADVPN"
set uuid 471a8b7c-19b0-51e9-bec5-9ac0ee436f1a
set srcintf "ADVPN"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 3
set name "OUT ADVPN"
set uuid 2ffae662-19b0-51e9-cf68-6d600cd529df
set srcintf "port4"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
edit 5
set name "IN ADVPN"
set uuid 471a8b7c-19b0-51e9-bec5-9ac0ee436f1a
set srcintf "ADVPN"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 3
set name "OUT ADVPN"
set uuid 2ffae662-19b0-51e9-cf68-6d600cd529df
set srcintf "port4"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
Troubleshooting or verifying:
di vpn tunnel list
get router info routing-table rip
get router info rip database
Notes about ADVPN in FortiOS:
- Auto-discovery is supported by IKEv1 and IKEv2.
- All Spokes must have an IP address that is possible to route from any other spoke; units behind NAT are not currently supported.
- The feature requires the use of a dynamic routing protocol. There is no support for IKE handling routing.
- RIP is not a very scalable routing protocol. When there are more than a few spokes it would be advisable to use route summarization to avoid huge RIP updates. Better yet, use BGP instead of RIP.
- It is assumed that spokes will not be used to transit other spoke traffic, for example: traffic from Chicago to Tokyo would not transit an existing Chicago to Hong Kong tunnel even though that has a shorter hop count than a route via New York and Shanghai.
- There is no facility to allow to filter which traffic that transits the hub should trigger the message sent to the initiator suggesting it create a direct connection. Currently any and all traffic will trigger it.
