Description
This article describes how to mix two types of Spokes within the same ADVPN Hub-and-Spoke architecture:
- Spokes which have support for Fortinet ADVPN (FortiOS 5.4 or newer).
- Spokes which does not have any support for Fortinet ADVPN (FortiOS 5.2 or earlier, other vendors).
If a Spoke runs a firmware older than FortiOS 5.4 or if it is an IPsec Gateway from another vendor, it can still participate to the Hub & Spoke architecture but it will not be able to negotiate shortcuts with other Spokes.
Connecting ADVPN and non-ADVPN IPsec gateways on the same Hub’s phase1 requires specific configuration on the Hub and the non-ADVPN gateways.
This article is a complement to the related KB article 'Technical Tip: Fortinet Auto Discovery VPN (ADVPN)' which details Fortinet ADVPN principles and configuration (IPsec and BGP).
Scope
Fortinet Auto Discovery VPN (ADVPN) is available as of FortiOS 5.4.
Solution
Diagram:
The same design as KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)” is used.
In summary:
- The Hub protects LAN subnet 192.168.1.0/24
- The Hub’s overlay IP (i.e., its tunnel IP) is 10.10.10.1
-
Each Spoke protects a LAN subnet 192.168.x.0/24 where x is the Spoke’s ID (e.g., Spoke-02 protects subnet 192.168.2.0/24)
-
Each Spoke’s overlay IP is 10.10.10.x where x is the Spoke’s ID (e.g., Spoke-02 overlay IP is 10.10.10.2).
ADVPN-aware and non-ADVPN-aware spokes within the same ADVPN Hub-and-Spoke architecture:
Configuration:
IPsec
This section describes:
- The IPsec configuration change which must be done on the Hub.
- The IPsec configuration which must be used on the non-ADVPN-aware FortiGates (FortiOS 5.2 or earlier).
The IPsec configuration of the ADVPN-aware Spokes (FortiOS 5.4 or newer) remains identical. No configuration change is needed.
See 'Technical Tip: Fortinet Auto Discovery VPN (ADVPN)'.
BGP:
The BGP configuration is unchanged on the Hub.
The BGP configuration of non-ADVPN-aware Spokes is identical to the BGP configuration of ADVPN-aware Spokes.
See 'Technical Tip: Fortinet Auto Discovery VPN (ADVPN)'.
The problem:
As part of ADVPN a new mechanism was added that allows a Spoke to dynamically advertise its overlay IP address to the Hub during IKE SA negotiation (phase1).
On the Hub, this overlay IP is associated to the Spoke’s dial-up tunnel.
This IP is required for BGP peering.
Non-ADVPN-aware Spokes have no such phase1 feature.
An alternative way for advertising the overlay IP to the Hub must therefore be used.
The solution:
Spoke’s protected subnet(s) can be advertised to the Hub during IPsec SA negotiation (quick-mode / phase2).
The Hub can be instructed to add a route back to the Spoke for this/these subnet(s). This is called reverse route injection or IKE routes.
This mechanism can be used to advertise a Spoke’s overlay IP to its Hub.
The solution consists of configuring:
- Non-ADVPN spokes with an additional phase2 used to advertise their overlay IP during an IPsec SA negotiation (phase2).
- The Hub with an additional phase2 used to learn non-ADVPN spokes overlay IP and inject a route back (IKE routes).
IPsec configuration change required on the Hub:
The phase1 configuration remains identical:
config vpn ipsec phase1-interface
edit "Spoke"
set type dynamic
set interface "port2"
set proposal aes128-sha1
set add-route disable
set auto-discovery-sender enable
set psksecret someSecureSecretKey
next
end
Only a new phase2 must be added:
|
When mixing ADVPN and non-ADVPN Spokes |
With ADVPN-only Spokes |
|
config vpn ipsec phase2-interface edit "Spoke" set phase1name "Spoke" set proposal aes128-sha1 next edit "Overlay_advertisement" set phase1name "Spoke" set proposal aes128-sha1 set add-route enable set comments "Used by legacy Spokes (non-ADVPN aware) to advertise their overlay IP" set dst-subnet 10.10.10.0 255.255.255.0 next end 'add-route enable' is for reverse-route injection (IKE routes). 10.10.10.0/24 is the overlay subnet covering the overlay IP addresses of all Spokes. |
config vpn ipsec phase2-interface edit "Spoke" set phase1name "Spoke" set proposal aes128-sha1 next end |
It is mandatory that the name of the additional phase2 (here, 'Overlay_advertisement') is placed in alphabetic order before the name of the regular phase2 (here, 'Spoke').
This is because phase2 lookup is done in alphabetic order.
The configuration of the additional phase2 ('Overlay_advertisement') is more specific than the regular phase2 ('Spoke'). It is therefore mandatory that it be matched first.
The phase2 order can be confirmed with:
Hub # diag vpn ike config list
vd: root/0
name: Spoke
serial: 1
version: 1
status.admin: up
status.operational: up
type: dynamic
local: 198.51.100.1
mode: main
dpd: on-demand retry-count 3 interval 20000ms
auth: psk
dhgrp: 14 5
fragmentation: enable
xauth: none
interface: port2
virtual-interface-addr: 10.10.10.1 -> 10.10.10.254
auto-discovery-sender: enable enable
auto-discovery-receiver: disable
add-route: disable
phase2s:
Overlay_advertisement proto 0 src 0.0.0.0/0.0.0.0:0 dst 10.10.10.0/255.255.255.0:0 dhgrp 14 5 replay add-route route-new
Spoke proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 14 5 replay !add-route route-new
policy: yes
This is the only extra configuration needed on the Hub should non-ADVPN-aware Spokes need to be part of an ADVPN Hub-and-Spoke architecture.
The rest of the configuration is identical to the only-ADVPN-spokes scenario.
See 'Technical Tip: Fortinet Auto Discovery VPN (ADVPN)'.
IPsec configuration for non-ADVPN-aware FortiGates.
config system interface
edit "Hub"
set vdom "root"
set ip 10.10.10.4 255.255.255.255 <----- The overlay IP of this Spoke.
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.1 <----- The overlay IP of the Hub.
set interface "port2"
next
end
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set proposal aes128-sha1
set remote-gw 198.51.100.1
set psksecret someSecureSecretKey
next
end
config vpn ipsec phase2-interface
edit "Hub_overlayIP"
set comments "For advertising the overlay IP to the Hub"
set phase1name "Hub"
set proposal aes128-sha1
set keepalive enable
set auto-negotiate enable
set src-addr-type ip
set src-start-ip 10.10.10.4 <----- The overlay IP of this Spoke.
next
edit "Hub_traffic"
set comments "For carrying data traffic"
set phase1name "Hub"
set proposal aes128-sha1
set keepalive enable
set auto-negotiate enable
next
end
Again, it is mandatory that the name of the additional phase2 (here, 'Hub_overlayIP') is placed in alphabetic order before the name of the regular phase2 (here, 'Hub_traffic').
The phase2 order can be confirmed with:
Spoke04 # diagnose vpn ike config list
vd: root/0
name: Hub
serial: 1
version: 1
type: static
local: 0.0.0.0
remote: 198.51.100.1
mode: main
dpd: enable retry-count 3 interval 60000ms
auth: psk
dhgrp: 14 5
fragmentation: enable
xauth: none
interface: port2
phase2s:
Hub_overlayIP proto 0 src 10.10.10.4:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 14 5 replay keep-alive auto-negotiate
Hub_traffic proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 14 5 replay keep-alive auto-negotiate
policy: yes
The BGP configuration is identical to the configuration detailed in 'Technical Tip: Fortinet Auto Discovery VPN (ADVPN)'.
Related article:
