FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Description This article describes how to force ADVPN shortcuts to be created on their respective VPN tunnels.
Scope FortiGate
Solution

 

Problem :

 

Due to the routing decision of the Hub, the ADVPN shortcut tunnel at BR-2 was created on HUB1-VPN3 instead of HUB1-VPN1 where it was created for the BR-1.

 

lestopace_0-1649585250778.png

 

Solution :

 

Configure a policy routing or SD-WAN rule in the Hub.

 

# config system sdwan
    config service
      edit 1
       set name "ToBranches1"
       set input-device "VPN1"
       set route-tag 1
       set src "all"
       set priority-members 3
      next
      edit 2
       set name "ToBranches2"
       set input-device "VPN2"
       set route-tag 2
       set src "all"
       set priority-members 4
      next
      edit 3
       set name "ToBranches3"
       set input-device "VPN3"
       set route-tag 3
       set src "all"
       set priority-members 5
      next
      edit 4
       set name "ToBranches4"
       set input-device "VPN4"
       set route-tag 4
       set src "all"
       set priority-members 6
      next
    end
  end

 

In this example, route-tagging was used on the SD-WAN rules for simplicity but it is not necessarily required. Configuring SD-WAN rules or policy routes with specific subnets will suffice as long as the respective source interface and priority members are set. 

 

For more information regarding BGP and SD-WAN route-tagging, check the article below.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-BGP-and-SD-WAN-for-advertising...

 

Results :

 

lestopace_1-1649586023256.png

 

lestopace_2-1649586130698.png

 

 

 

 

Contributors