Description
Fortinet Auto Discovery VPN (ADVPN) allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture.
After a shortcut tunnel is established between two spokes and routing has converged, spoke to spoke traffic no longer needs to flow through the Hub. Direct connectivity is provided.
Fortinet ADVPN was introduced in FortiOS 5.4.
Solution
The PDF file available in the Attachments section contains:
Table of Contents:
IPsec VPN Topology
Hub and Spoke
Partial Mesh
Full Mesh
Auto-Discovery VPN
ADVPN shortcut negotiation
Summary - ADVPN sequence of events
Fortinet Auto-Discovery VPN
IPsec and Dynamic routing
A single ADVPN Domain
NAT with ADVPN
Lifetime of ADVPN shortcuts
Reference Architecture - Dual Region
Dual Region Underlay
Dual Region Overlay
Dual Region BGP ASN
France Underlay
France Overlay
Overlay IPs
IPsec configuration
Hub
Spoke
ADVPN with BGP
Explanation
Hub configuration
Spoke configuration
ADVPN with OSPF
OSPF configuration
Hub configuration
Spoke configuration
Dual Region (BGP)
Overlay
IPsec configuration
BGP configuration
BGP Next-Hop reachability
ADVPN troubleshooting
IPsec
BGP
OSPF
ADVPN Dual Region (BGP) - Lab configuration
Additional ADVPN articles available in the Fortinet Cookbook:
- Configuring ADVPN in FortiOS 5.6 (with 'set net-device enable')
- Configuring ADVPN in FortiOS 5.4
- Configuring ADVPN in FortiOS 5.4 with Redundant hubs
Related articles:
- Technical Note: How to mix ADVPN-aware and non-ADVPN-aware spokes within the same ADVPN Hub-and-Spok...
- Technical Tip: 'set net-device' new route-based IPsec logic
- Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
- Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)
- Troubleshooting Tip: IPsec VPNs tunnels
- Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
- Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
- Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
- Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
- Technical Tip: IPSec dial-up full tunnel with FortiClient
- Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
- Technical Note: Dynamic routing (BGP) over IPsec tunnel
- Technical Tip: OSPF with IPSec VPN for network redundancy
- Technical Tip: Dynamic dial-up VPN with OSPF
- Technical Tip: 'set net-device' new route-based IPsec logic
- Technical Tip: Simple OCVPN deployment
- Technical Tip: SD-WAN integration with OCVPN
- Technical Tip: Configure IPsec VPN with SD-WAN
- Technical Tip: SD-WAN with DDNS type IPsec
- Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
- Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
- Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a...
- Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
- Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
