FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 227060
Description This article describes how to Implement 'Hub and spoke' or 'Point to multi-point' IPSec with Static Route - ADVPN disabled.
Scope

Scenario:

  1. HUB and Spoke IPsec  topology.
  2. Spoke client must be able to communicate with another spoke client via Hub.
  3. Static protocol is the overlay routing protocol.
  4. ADVPN is disabled.
Solution

Diagram

 

iskandar_lie_0-1666116920984.png

 

For full configuration – refer to this KB

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implement-Hub-and-Spoke-ADVPN-using-IPsec-...

 

By default IPSec configuration wizard will utilize BGP as the overlay routing protocol. This article is trying to explain, how to implement the static route instead.

 

For IPSec point-to-multipoint with BGP as the overlay routing protocol, refer to this KB.

 

https://community.fortinet.com/t5/FortiGate/Implement-Hub-and-Spoke-or-point-to-multipoint-IPsec-ADV...

 

Every IPSec interface must be assigned with an IP address.  

 

iskandar_lie_1-1666117077801.png

 

Set the required static route on Hub, SpokeA and SpokeB 

 

iskandar_lie_2-1666117098358.png

In order to configure gateway in hub for hub_spoke interface in static route, it is necessary to disable net-device in the VPN phase1.

 

config vpn ipsec phase1-interface

    edit <phase1-name>

        set net-device disable

    end

 

Note:

After disabling net-device in the VPN, the gateway can be configured only for the dialup tunnel not for normal IPsec VPN.

Route appears on Hub and Spoke.

 

iskandar_lie_3-1666117242832.png

 

By default 'exchange-interface-ip' is disabled.

 

'virtual-interface-addr' has no ip address of their pairing interface as seen.

 

iskandar_lie_4-1666117736554.png

 

iskandar_lie_7-1666117751724.png

 

Spoke-client cannot communicate with another spoke-client.

 

iskandar_lie_8-1666117776574.png

 

Enable 'exchange-interface-ip' on ipsec phase1-interface

 

iskandar_lie_9-1666117790388.png

 

iskandar_lie_10-1666117797664.png

 

'virtual-interface-addr' now has ip address of their pairing interface.

 

iskandar_lie_11-1666117811447.png

 

iskandar_lie_13-1666117826247.png

 

As debugs are ran, what is going at the backend  can be seen

Debug application ike-1  

'add INTERFACE-ADDR4 10.10.10.1'

'update peer route 0.0.0.0 --> 10.10.10.3'

 

iskandar_lie_14-1666117847620.png

 

Now both spoke-clients can communicate with one each other.

 

iskandar_lie_15-1666117863972.png

 

iskandar_lie_16-1666117868905.png

 

Conclusion:

 

  1. This scenario is suitable for a simple environment - where not too many nodes need to be maintained.
  2. This scenario can be an alternative for the user who is not familiar with the dynamic routing protocol. 
  3. Using a Static route instead of a dynamic route is a way to save device's CPU and memory resource  

Test on : FortiGate v. 7.0.6

 

Fortinet Documentation:

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/523447/configure-dial-up-dynamic-vpn

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/791036/vpn-ipsec-phase1-interface-p...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-net-device-new-route-based-IPsec-logic...

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/239039/dynamic-tunnel-interf...

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/390427/configure-bgp

https://community.fortinet.com/t5/FortiGate/Technical-Tip-ADVPN-with-BGP-as-the-routing-protocol/ta-...