| Description | This article describes how users can implement 'Hub and Spoke' or 'point to multi-point' IPSec - ADVPN disabled. |
| Scope |
Scenario: 1) HUB and Spoke IPSec topology. 2) Spoke client must be able to communicate with another spoke client via Hub. 3) BGP is the overlay routing protocol. 4) ADVPN is disabled. |
| Solution |
Diagram
For full config – refer to this KB Technical Tip: Implement Hub and Spoke ADVPN – usi... - Fortinet Community
spoke-client route must be installed on routing table (protocol BGP)
For some reason, If one do not wish to enable ADVPN feature – however end-to- end communication between clients behind spoke or hub node is a requirement. The exchange-interface-ip option is enabled to allow the exchange of IPSec interface IP addresses. This allows a point to multi-point connection to the hub FortiGate. The add-route option is disabled to allow multiple dial-up tunnels to be established to the same host that is advertising the same network. This dynamic network discovery is facilitated by the BGP configuration; see Configure BGP for details.
By default 'exchange-interface-ip' is disabled.
It can seen that 'virtual-interface-addr' has no ip address of their pairing interface.
Spoke-client cannot communicate with another spoke-client.
Enable 'exchange-interface-ip' on ipsec phase1-interface.
'virtual-interface-addr' now has ip address of their pairing interface.
As debug is performed, what is going at the backend can be seen. Debug application ike-1 'add INTERFACE-ADDR4 10.10.10.1' 'update peer route 0.0.0.0 --> 10.10.10.3'
Now both spoke-clients can communicate with one each other.
Test on: FortiGate v. 7.0.6
Fortinet Documentation: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/523447/configure-dial-up-dynamic-vpn https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/390427/configure-bgp |
