Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎10-18-2022 03:17 PM Edited on ‎07-17-2025 02:26 AM By Community Manager

Article Id 227035

Technical Tip: Implement Hub and Spoke or point to multipoint IPsec - ADVPN disabled

Description This article describes how users can implement 'Hub and Spoke' or 'point-to-multipoint' IPSec-ADVPN disabled.
Scope

Scenario:

  1. HUB and Spoke IPSec  topology.
  2. Spoke client must be able to communicate with another spoke client via Hub.
  3. BGP is the overlay routing protocol.
  4. ADVPN is disabled.
Solution

Diagram

 

iskandar_lie_0-1666115647874.png

 

For full config, refer to this KB article: Technical Tip: Implement Hub and Spoke ADVPN – usi... - Fortinet Community

 

spoke-client route must be installed on routing table (protocol BGP) 

 

iskandar_lie_1-1666115802695.png

 

For some reason, If one do not wish to enable ADVPN feature – however end-to- end communication between clients behind spoke or hub node is a requirement.  

The exchange-interface-ip option is enabled to allow the exchange of IPSec interface IP addresses. This allows a point to multi-point connection to the hub FortiGate.

The add-route option is disabled to allow multiple dial-up tunnels to be established to the same host that is advertising the same network. This dynamic network discovery is facilitated by the BGP configuration; see Configure BGP for details.

 

iskandar_lie_2-1666115926052.png

 

By default 'exchange-interface-ip' is disabled.

 

It can seen that 'virtual-interface-addr' has no ip address of their pairing interface.

 

iskandar_lie_3-1666115944910.png

 

iskandar_lie_4-1666115959625.png

 

Spoke-client cannot communicate with another spoke-client.

 

iskandar_lie_5-1666115983419.png

 

Enable 'exchange-interface-ip' on ipsec phase1-interface.

 

iskandar_lie_6-1666116000708.png

iskandar_lie_7-1666116008728.png

 

 'virtual-interface-addr' now has ip address of their pairing interface.

 

iskandar_lie_9-1666116170544.png

 

iskandar_lie_10-1666116178356.png

 

As debug is performed, what is going at the backend can be seen.

Debug application ike-1  

'add INTERFACE-ADDR4 10.10.10.1'

'update peer route 0.0.0.0 --> 10.10.10.3'

 

iskandar_lie_8-1666116132951.png

 

Now both spoke-clients can communicate with one each other.

 

iskandar_lie_11-1666116276712.png

 

iskandar_lie_12-1666116285326.png

 

Test on: FortiGate v. 7.0.6

 

Fortinet Documentation:

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/523447/configure-dial-up-dynamic-vpn

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/791036/vpn-ipsec-phase1-interface-p...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-net-device-new-route-based-IPsec-logic...

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/239039/dynamic-tunnel-interf...

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/390427/configure-bgp

https://community.fortinet.com/t5/FortiGate/Technical-Tip-ADVPN-with-BGP-as-the-routing-protocol/ta-...
8536
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.