Created on 10-18-2022 04:36 PM Edited on 08-19-2023 06:45 AM By Anthony_E
Description | This article describes how to Implement 'Hub and spoke' or 'Point to multi-point' IPSec with Static Route - ADVPN disabled. |
Scope |
Scenario:
|
Solution |
Diagram
For full configuration – refer to this KB
By default IPSec configuration wizard will utilize BGP as the overlay routing protocol. This article is trying to explain, how to implement the static route instead.
For IPSec point-to-multipoint with BGP as the overlay routing protocol, refer to this KB.
Every IPSec interface must be assigned with an IP address.
Set the required static route on Hub, SpokeA and SpokeB
In order to configure gateway in hub for hub_spoke interface in static route, it is necessary to disable net-device in the VPN phase1.
config vpn ipsec phase1-interface edit <phase1-name> set net-device disable end
Note: After disabling net-device in the VPN, the gateway can be configured only for the dialup tunnel not for normal IPsec VPN. Route appears on Hub and Spoke.
By default 'exchange-interface-ip' is disabled.
'virtual-interface-addr' has no ip address of their pairing interface as seen.
Spoke-client cannot communicate with another spoke-client.
Enable 'exchange-interface-ip' on ipsec phase1-interface
'virtual-interface-addr' now has ip address of their pairing interface.
As debugs are ran, what is going at the backend can be seen Debug application ike-1 'add INTERFACE-ADDR4 10.10.10.1' 'update peer route 0.0.0.0 --> 10.10.10.3'
Now both spoke-clients can communicate with one each other.
Conclusion:
Test on : FortiGate v. 7.0.6
Fortinet Documentation: https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/523447/configure-dial-up-dynamic-vpn https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/390427/configure-bgp |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.