| Description | This article describes how to implement Hub and Spoke ADVPN – using IPSec wizard. |
| Scope |
FortiGate v. 7.2.1 Scenario: 1) HUB and Spoke IPSec topology. 2) Spoke client must be able to communicate with another spoke client directly when on demand tunnel is create (ADVPN feature). 3)BGP is the overlay routing protocol. |
| Solution |
Diagram: 
Note:
FortiGate Hub and Spoke IPSec Wizard is using BGP as overlay protocol and ADVPN feature. What does this wizard config? 1) Routing protocol - BGP 2) Firewall Policy 3) IPSec interface address 4) Address object
Let's start with HUB node:
Incoming interface – is outgoing physical interface for IPSec interface.
Tunnel IP is our IPSec interface address ( 10.10.10.1 ) Remote IP/Netmask – is a dummy ip address within the same subnet (10.10.10.254/24)
Local AS – can be anything, refer to BGP routing protocol (in this case use private AS 65000 and IBGP configuration). Local Interface – is an interface where local subnet is connected. Local subnet is meant to be able to communicate via BGP protocol. Spoke type can be 'range' or 'individual' For range – refer to https://docs.fortinet.com/document/fortigate/6.0.0/handbook/190962/bgp. In this case individual is used, where spokeA – 10.10.10.2 and spokeB – 10.10.10.3 are defined.
This is the last step of creating HUB IPsec. Copy configuration key available for Spoke #1 – SpokeA and Spoke #2 – SpokeB
Copy configuration key on notepad.
Now lets start creating the IPSec on SpokeA. Paste the configuration key that was copied in last step of HUB config, on 'easy configuration key' and select apply.
Remote IP Address -- IP address of HUB (192.168.12.2) Outgoing interface -- is underlay physical interface for this IPSec (port6) Pre-shared key -- fill out with the same Pre-shared key as HUB.
Tunnel IP is IPSec interface address ( 10.10.10.2 ) Remote IP/Netmask – is HUB tunnel ip address. ( 10.10.10.1 )
Local Interface – is an interface where local subnet is connected. This local subnet is meant to be able to communicate via BGP protocol. Local subnet is meant to be able to communicate via BGP protocol.
Last step of SpokeA configuration.
Since the configuration step on SpokeB will be similar to SpokeA – follow the same step as SpokeA. On demand tunnel is created whenever the traffic is initiated – when there is no traffic for some period of time, this on demand tunnel will be torn down.
Conclusion:
1) This wizard is suitable for new implementation with 2 spokes and 1 hub.
2) This wizard is suitable also for a beginner, it will do everything required to create Hub and Spoke ADVPN, together with BGP routing protocol and firewall policy.
Note: Attached files are config created by this IPSec wizard, and 'routing and IPSec information'.
Fortinet Documentation: |
