Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ā€Ž10-18-2022 03:17 PM Edited on ā€Ž12-30-2025 06:10 AM By Community Manager

Article Id 227035

Technical Tip: Implement Hub and Spoke or point to multipoint IPsec - ADVPN disabled

Description This article describes how users can implement 'Hub and Spoke' or 'point-to-multipoint' IPSec-ADVPN disabled.
Scope

Scenario:

  1. HUB and Spoke IPSec  topology.
  2. Spoke client must be able to communicate with another spoke client via Hub.
  3. BGP is the overlay routing protocol.
  4. ADVPN is disabled.
Solution

Diagram:

 

iskandar_lie_0-1666115647874.png

 

For full configuration, see: Technical Tip: Implement Hub and Spoke ADVPN ā€“ using IPsec wizard.

 

The spoke-client route must be installed on the routing table (using BGP protocol): 

 

iskandar_lie_1-1666115802695.png

 

The ADVPN feature is not required, but end-to-end communication between clients behind a spoke or hub node is a requirement.  

The exchange-interface-ip option is enabled to allow the exchange of IPSec interface IP addresses. This allows a point to multi-point connection to the hub FortiGate.

The add-route option is disabled to allow multiple dial-up tunnels to be established to the same host that is advertising the same network. This dynamic network discovery is facilitated by the BGP configuration; see Configure BGP for details.

 

iskandar_lie_2-1666115926052.png

 

By default 'exchange-interface-ip' is disabled.

 

It can seen that 'virtual-interface-addr' has no ip address of their pairing interface.

 

iskandar_lie_3-1666115944910.png

 

iskandar_lie_4-1666115959625.png

 

Spoke-client cannot communicate with another spoke-client.

 

iskandar_lie_5-1666115983419.png

 

Enable 'exchange-interface-ip' on ipsec phase1-interface.

 

Note:

If auto-discovery options (sender and receiver) are both disabled, the 'exchange-interface-ip' option is available. However, if either the sender or receiver auto-discovery option is enabled, the 'exchange-interface-ip' option is not available.

 

iskandar_lie_6-1666116000708.png

iskandar_lie_7-1666116008728.png

 

 'virtual-interface-addr' now has ip address of their pairing interface.

 

iskandar_lie_9-1666116170544.png

 

iskandar_lie_10-1666116178356.png

 

As debug is performed, what is going at the backend can be seen.

Debug application ike-1  

'add INTERFACE-ADDR4 10.10.10.1'

'update peer route 0.0.0.0 --> 10.10.10.3'

 

iskandar_lie_8-1666116132951.png

 

Now both spoke-clients can communicate with one each other.

 

iskandar_lie_11-1666116276712.png

 

iskandar_lie_12-1666116285326.png

 

Test on: FortiGate v. 7.0.6

 

Fortinet Documentation:

Configure dial-up dynamic VPN

vpn ipsec {phase1-interface | phase1}

Technical Tip: 'set net-device' new route-based IPsec logic

Dynamic tunnel interface creation

Configure BGP

Technical Tip: ADVPN with BGP as the routing protocol
9320
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.