Description
This article describe how to configure and verify of Auto Discovery VPN (ADVPN) with RIPv2.
Solution
- Fortinet Auto Discovery VPN (ADVPN) allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture.
- After a shortcut tunnel is established between two spokes and routing has converged, spoke to spoke traffic no longer needs to flow through the Hub. Direct connectivity is provided.
- ADVPN requires the use of dynamic routing in order to function and supports both BGP and RIPv2. This recipe will focus on using RIP v2 and its route-reflector mechanism as the dynamic routing solution to use with ADVPN.
- ADVPN’s primary advantages is that it provides the full meshing capabilities to a standard hub and spoke topology, greatly reducing the provisioning effort required for full spoke to spoke low delay reachability and addressing the scalability issues associated with very large fully meshed VPN networks.
Diagram.
This article describe how to configure and verify of Auto Discovery VPN (ADVPN) with RIPv2.
Solution
- Fortinet Auto Discovery VPN (ADVPN) allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture.
- After a shortcut tunnel is established between two spokes and routing has converged, spoke to spoke traffic no longer needs to flow through the Hub. Direct connectivity is provided.
- ADVPN requires the use of dynamic routing in order to function and supports both BGP and RIPv2. This recipe will focus on using RIP v2 and its route-reflector mechanism as the dynamic routing solution to use with ADVPN.
- ADVPN’s primary advantages is that it provides the full meshing capabilities to a standard hub and spoke topology, greatly reducing the provisioning effort required for full spoke to spoke low delay reachability and addressing the scalability issues associated with very large fully meshed VPN networks.
Diagram.
Configuration.
HUB:
ADVPN Tunnel Configuration.
Tunnel configuration.
HUB:
ADVPN Tunnel Configuration.
# config vpn ipsec phase1-interfaceRIPv2.
edit "ADVPN"
set type dynamic
set interface "port1"
set peertype any
set net-device disable
set proposal aes128-sha1
set add-route disable
set dpd on-idle
set dhgrp 2
set auto-discovery-sender enable
set tunnel-search nexthop
set psksecret ENC
set dpd-retryinterval 60
next
# config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal aes128-sha1
next
end
# config router ripInterface Configuration.
# config network
edit 1
set prefix 1.1.1.10 255.255.255.255
next
edit 2
set prefix 10.10.10.0 255.255.255.0
next
end
# config interface
edit "ADVPN"
set receive-version 2
set send-version 2
set send-version2-broadcast enable
next
end
end
# config system interfacePolicy.
edit "ADVPN"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.0 255.255.0.0
set snmp-index 14
set interface "port1"
next
end
# config firewall policySpoke1: (Same configuration needs to be done over the spoke2 as well).
edit 5
set name "ADVPNtoADVPN"
set uuid bf723e6e-19ae-51e9-fde9-2764c6d2fa15
set srcintf "ADVPN"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
edit 4
set name "IN ADVPN"
set uuid aab442e2-19ae-51e9-1fe2-c16613fe003d
set srcintf "ADVPN"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
# config firewall policy
edit 3
set name "OUT ADVPN"
set uuid 8dfd6d0e-19ae-51e9-ac74-d86a9af57fa0
set srcintf "port4"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
Tunnel configuration.
# config vpn ipsec phase1-interfaceRIPv2 configuration.
edit "ADVPN"
set interface "port1"
set peertype any
set proposal aes128-sha1
set net-device enable
set add-route disable
set dhgrp 2
set auto-discovery-receiver enable
set remote-gw 10.5.27.173
set psksecret ENC
end
# config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal aes128-sha1
set auto-negotiate enable
end
# config router ripInterface Configuration.
# config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
edit 2
set prefix 10.10.10.2 255.255.255.255
next
end
# config interface
edit "ADVPN"
set receive-version 2
set send-version 2
next
end
end
# config system interfacePolicy.
edit "ADVPN"
set vdom "root"
set ip 10.10.10.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.1 255.255.255.255
set snmp-index 14
set interface "port1"
next
end
# config firewall policyTroubleshooting or verifying.
edit 5
set name "IN ADVPN"
set uuid 471a8b7c-19b0-51e9-bec5-9ac0ee436f1a
set srcintf "ADVPN"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 3
set name "OUT ADVPN"
set uuid 2ffae662-19b0-51e9-cf68-6d600cd529df
set srcintf "port4"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
# di vpn tunnel listNotes about ADVPN in FortiOS.
# get router info routing-table rip
# get router info rip database
- Auto-discovery is only supported by IKEv1.
- All Spokes must have an IP address that is routable from any other spoke; units behind NAT are not currently supported.
- The feature requires the use of a dynamic routing protocol. There is no support for IKE handling routing.
- RIP is not a very scalable routing protocol. When there are more than a few spokes it would be advisable to use route summarization to avoid huge RIP updates. Better yet, use BGP instead of RIP.
- It is assumed that spokes will not be used to transit other spoke traffic, for example: traffic from Chicago to Tokyo would not transit an existing Chicago to Hong Kong tunnel even though that has a shorter hop count than a route via New York and Shanghai.
- There is no facility to allow to filter which traffic that transits the hub should trigger the message sent to the initiator suggesting it create a direct connection. Currently any and all traffic will trigger it.
- All Spokes must have an IP address that is routable from any other spoke; units behind NAT are not currently supported.
- The feature requires the use of a dynamic routing protocol. There is no support for IKE handling routing.
- RIP is not a very scalable routing protocol. When there are more than a few spokes it would be advisable to use route summarization to avoid huge RIP updates. Better yet, use BGP instead of RIP.
- It is assumed that spokes will not be used to transit other spoke traffic, for example: traffic from Chicago to Tokyo would not transit an existing Chicago to Hong Kong tunnel even though that has a shorter hop count than a route via New York and Shanghai.
- There is no facility to allow to filter which traffic that transits the hub should trigger the message sent to the initiator suggesting it create a direct connection. Currently any and all traffic will trigger it.
