Technical Tip: How to configure ADVPN to be scalable using loopbacks in the CLI

epiquette · ‎08-02-2024

Description

This article describes how to configure an ADVPN that can scale, whether it is for multiple ISPs or multiple hub topologies using the CLI.

Scope

FortiOS 7.4.x

FortiOS 7.2.x

Solution

Hub Configuration Template

Hub interface configuration

config system interface

edit "port1" <- port1 used for primary ISP.

set ip 10.77.77.1 255.255.255.0

set allowaccess ping

set ip 10.100.1.1 255.255.255.0

set allowaccess ping

set vdom "root"

set ip 10.23.0.1 255.255.255.255 <- IP used for BGP peering.

set allowaccess ping

set type loopback

set vdom "root"

set ip 10.23.1.1 255.255.255.255 <- IP used for SLA on the spoke. It is recommended to use the same IP on all hubs if multiple hubs are configured.

set allowaccess ping

set type loopback

Local location ID in the form of an IPv4 address to easily identify devices in IPsec VPN output.

config system settings

set location-id 10.23.0.1 <- IP used for location identification in IPsec VPN which is also the same IP as the loopback1 used for BGP peering.

end

Hub IPsec VPN Phase1 and Phase2 configuration:

config vpn ipsec phase1-interface

edit "ADVPN1"

set type dynamic

set interface "port1" <- Select the primary ISP connection. In this specific template, port1 is used.

set ike-version 2

set peertype any

set net-device disable <- It is important to keep this disabled on the Hubs so that it uses tunnel-search to find the remote hop.

set exchange-ip-addr4 10.23.0.1 <- This exchanges the loopback1 IP with the remote peer and it would be the same for all overlays if multiple are configured.

set proposal aes256gcm-prfsha384

set add-route disable <- Disables adding a route for the phase 2 selector.

set dpd on-idle

set dhgrp 14

set auto-discovery-sender enable <- Makes it possible to send auto-discovery short-cut messages to the spokes.

set network-overlay enable <- If multiple overlays are needed, give them a unique identifier. This will make it possible to configure the ID.

set network-id 10 <- Network overlay identifier.

set psksecret <preshared key>

set dpd-retrycount 2

set dpd-retryinterval 1

config vpn ipsec phase2-interface

edit "ADVPN1"

set phase1name "ADVPN1"

set proposal aes256gcm

set keepalive enable

Create Firewall Address Objects Required:

config firewall address

edit "Spoke-Subnets"

set subnet 10.100.0.0 255.255.0.0

set subnet 10.23.1.1 255.255.255.255

set subnet 10.100.1.0 255.255.255.0

Hub SDWAN configuration

config system sdwan

set status enable

config zone

edit "Underlay" <- Zone that will be used for all the Underlay interfaces.

config members

edit 1

set interface "port1"

set zone "Underlay"

set gateway 10.77.77.254

set interface "ADVPN1"

set zone "ADVPN"

set source 10.23.0.1 <- Set the loopback1 IP as the source.

config health-check

edit "Google_DNS"

set server "8.8.8.8" "8.8.4.4"

set members 1

config sla

edit 1

set latency-threshold 10

set jitter-threshold 3

set packetloss-threshold 1

config service

edit 2

set name "Spokes_Subnets"

set dst "Spoke-Subnets"

set src "Hub1-Subnet"

set priority-members 2 <- This allows the Hub subnet to reach the spokes using 2 SD-WAN members.

set name "Internet_Rule"

set mode sla

set dst "all"

set src "all"

config sla

edit "Google_DNS"

set id 1

set priority-members 1 <- This allows the Hub subnet to access the internet using 1 SD-WAN member. If multiple ISPs are configured, add them as a priority-member.

end

Hub firewall policy configuration

config firewall policy

edit 1

set name "Internet Policy"

set srcintf "port3"

set dstintf "Underlay"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

set name "LAN to ADVPN"

set srcintf "port3"

set dstintf "ADVPN"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set name "ADVPN to LAN"

set srcintf "ADVPN"

set dstintf "port3"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set name "ADVPN to ADVPN"

set srcintf "ADVPN"

set dstintf "ADVPN"

set action accept

set srcaddr "all"

set dstaddr "Spoke-Subnets"

set schedule "always"

set service "ALL"

set name "BGP Peering Policy Inbound"

set srcintf "ADVPN"

set dstintf "loopback1"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "BGP" "PING"

set name "VPN to SLA loopback"

set srcintf "ADVPN"

set dstintf "loopback2"

set action accept

set srcaddr "all"

set dstaddr "Hub-SLA_Loopback"

set schedule "always"

set service "PING"

Hub configuration of the BGP and Static routes:

config router route-map

edit "LOCAL_REGION"

config rule

edit 1

set set-community "no-export"

config router bgp

set as 65000

set router-id 10.23.0.1

set keepalive-timer 15

set holdtime-timer 45

set ebgp-multipath enable

set ibgp-multipath enable

set recursive-next-hop enable <= Allows for BGP routes to be considered for recursive lookup, by default BGP routes are not considered.

set recursive-inherit-priority enable <= Inherit the priority of the recursive lookup route.

config neighbor-group

edit "Spokes"

set advertisement-interval 1

set next-hop-self enable

set soft-reconfiguration enable

set interface "loopback1"

set remote-as 65000

set update-source "loopback1"

config neighbor-range

edit 3

set prefix 10.23.0.0 255.255.255.0

set neighbor-group "Spokes"

config network

edit 3

set prefix 10.100.1.0 255.255.255.0

set prefix 10.23.0.0 255.255.255.0

set route-map "LOCAL_REGION"

end

config router static

edit 1

set distance 1

set sdwan-zone "Underlay"

set dst 10.23.0.0 255.255.255.0

set comment "Prevents recursive lookup on the spokes to use the underlay and allows BGP to advertise this subnet to the spokes"

set blackhole enable

set vrf 0

set dst 10.100.0.0 255.255.0.0

set comment "Prevents corporate traffic from leaking out on the underlay"

set blackhole enable

set vrf 0

The following policy-based routing is ensure traffic from overlays stays on their specified overlays.

config router policy

edit 1

set input-device "ADVPN1"

set srcaddr "all"

set dstaddr "Spoke-Subnets"

set output-device "ADVPN1"

Spoke Configuration Template:

Spoke interface configuration:

config system interface

edit "port1" <- port1 used for primary ISP.

set ip 10.77.77.3 255.255.255.0

set allowaccess ping

set ip 10.100.3.1 255.255.255.0

set allowaccess ping

set vdom "root"

set ip 10.23.0.3 255.255.255.255 <- IP used for BGP peering.

set allowaccess ping

set type loopback

Local location ID in the form of an IPv4 address to easily identify devices in IPsec VPN output.

config system settings

set location-id 10.23.0.3 <- IP used for location identification in IPsec VPN which is also the same IP as the loopback1 used for BGP peering.

end

Spoke IPsec VPN Phase1 and Phase2 configuration:

config vpn ipsec phase1-interface

edit "ADVPN1"

set interface "port1" <- Select the primary ISP connection. In this specific template, port1 is being used.

set ike-version 2

set peertype any

set net-device enable <- This will be different from the hub configuration where it is necessary to enable the net-device in order to have the shortcut interfaces to have their own virtual interface.

set exchange-ip-addr4 10.23.0.3 <- This exchanges the Loopback IP with the remote peer.

set proposal aes256gcm-prfsha384

set add-route disable <- Disables adding a route for the phase 2 selector.

set dpd on-idle

set dhgrp 14

set auto-discovery-receiver enable <- Allows receiving auto-discovery short-cut messages from the hub.

set network-overlay enable <- If multiple overlays are needed, give them a unique identifier. This will make it possible to configure the ID.

set network-id 10 <- Network overlay identifier.

set remote-gw 10.77.77.1

set psksecret <preshared key>

set dpd-retrycount 2

set dpd-retryinterval 1

config vpn ipsec phase2-interface

edit "ADVPN1"

set phase1name "ADVPN1"

set proposal aes256gcm

set keepalive enable

Create Firewall Address Objects Required:

config firewall address

edit "Spoke-Subnets"

set subnet 10.100.0.0 255.255.0.0

Spoke SDWAN Configuration:

config system sdwan

set status enable

config zone

edit "Underlay" <- Zone that will be used for all the Underlay interfaces.

set service-sla-tie-break fib-best-match

config members

edit 1

set interface "ADVPN1"

set zone "ADVPN"

set source 10.23.0.3 <- Set the loopback1 IP as the source.

set interface "port1"

set zone “Underlay”

set gateway 10.77.77.254

config health-check

edit "Google_DNS"

set server "8.8.8.8" "8.8.4.4"

set members 2

config sla

edit 1

set latency-threshold 10

set jitter-threshold 3

set packetloss-threshold 1

set server "10.23.1.1" <- Set the hub loopback2 IP for the SLA.

set embed-measured-health enable

set sla-fail-log-period 10

set sla-pass-log-period 10

set members 1

config sla

edit 1

set link-cost-factor latency

set latency-threshold 100

config service

edit 3

set name "hub_01"

set mode sla

set dst "Spoke-Subnets"

set src "Spoke-Subnets"

config sla

edit "HUB"

set id 1

set priority-members 1

set name "Internet_Rule"

set mode sla

set dst "all"

set src "all"

config sla

edit "Google_DNS"

set id 1

set priority-members 2

end

Spoke firewall policy configuration:

config firewall policy

edit 1

set name "Internet Policy"

set srcintf "port3"

set dstintf " Underlay"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

set name "LAN to ADVPN"

set srcintf "port3"

set dstintf "ADVPN"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set name "ADVPN to LAN"

set srcintf "ADVPN"

set dstintf "port3"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set name "VPN to Loopback"

set srcintf "ADVPN"

set dstintf "loopback1"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "BGP" "PING"

Spoke configuration of the BGP and Static routes:

config router route-map

edit "H1_TAG"

config rule

edit 1

unset set-ip-prefsrc

set set-tag 1 <- Sets a route-tag on routes from Hub1, if another hub is configured configure a different route-map to set a unique route-tag per hub.

config rule

edit 1

set set-community "65001:99"

unset set-ip-prefsrc

config router bgp

set as 65000

set router-id 10.23.0.3

set keepalive-timer 15

set holdtime-timer 45

set ibgp-multipath enable

set recursive-next-hop enable <- Allows for BGP routes to be considered for recursive lookup. By default, BGP routes are not considered.

set tag-resolve-mode merge <- Merge tag-match with best-match if they are using different routes. The result will exclude the next hops of tag-match whose interfaces have appeared in best-match.

config neighbor

edit "10.23.0.1"

set advertisement-interval 1

set soft-reconfiguration enable

set interface "loopback1"

set remote-as 65000

set route-map-in "H1_TAG"

set route-map-out-preferable "SLA_OK"

set connect-timer 1

set update-source "loopback1"

config network

edit 1

set prefix 10.100.3.0 255.255.255.0

end

config router static

edit 1

set distance 1

set sdwan-zone "Underlay" "ADVPN"