|
The topology consists of two FortiGates in a hub and spoke topology:
While the VPN tunnel IP addresses (aka 'overlay IPs') of the spoke can be assigned manually, a more scalable solution for larger environments is to utilize IKE mode-config for dynamic address assignment. IKE mode-config will be used in this example deployment.
Configuration on the Hub:
IPsec Tunnel Interface configuration:
config system interface
edit 'TO_SPOKE'
set vdom 'root'
set ip 10.10.10.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.10.10.254 255.255.255.0
set interface 'port7'
next
end
Notes:
- The Hub is assigned a manual fixed address with a /32 subnet mask (set ip x.x.x.x 255.255.255.255), whereas the Spokes will receive IP addresses dynamically from the Hub after connecting to the VPN.
- The address for remote-ip does not technically matter, as its function is to instruct the Hub FortiGate about the general subnet associated with the tunnel interface (e.g., 10.10.10.0/24 in the above setting). The last IP address of the subnet range is specified here (e.g., 10.10.10.254).
IPsec VPN configuration:
config vpn ipsec phase1-interface
edit 'TO_SPOKES'
set type dynamic
set interface 'port7'
set keylife 3600
set mode aggressive
set peertype any
set net-device disable
set exchange-interface-ip enable
set mode-cfg enable <--- Enable Hub to assign IP addresses to Spokes
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set dhgrp 14
set tunnel-search nexthop <----- Deprecated v7.0.1+ (no need to manually set this).
set ipv4-start-ip 10.10.10.2 <----- Specify address pool and subnet mask for mode-config.
set ipv4-end-ip 10.10.10.253
set ipv4-netmask 255.255.255.0
set psksecret ENC my_encrypted_password
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit 'TO_SPOKES'
set phase1name 'TO_SPOKES'
set proposal aes256-sha256
set dhgrp 14
set keylifeseconds 1800
next
end
Notes:
- For more information on the net-device option, refer to the following KB article: Technical Tip: Understanding the net-device feature in FortiGate ADVPN Implementation
- mode-config has a behavior with net-device enable where it allocates a /30 subnet for each dialup client if the Hub does not have a tunnel IP statically assigned (one IP for the Hub's VPN kernel interface, another IP for the Spoke, and the remaining two IPs are for the network and broadcast addresses). This results in 4x the IPs being consumed from the mode-config pool per Spoke, so switching to net-device disable (as recommended in this article) and statically assigning an address to the Hub tunnel interface is recommended to prevent this issue.
- The exchange-interface-ip setting allows FortiGate peers to advertise their assigned tunnel interface IPs to each other. This adds necessary connected/static routes between the peers that are required for dynamic routing (BGP, OSPF, etc.,) to function correctly.
- The add-route disable option prevents routes from being automatically added based on Phase 2 selectors (useful to avoid routing conflicts with OSPF and other dynamic routing protocols).
OSPF configuration:
config router ospf
set router-id 10.10.10.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit 'TO_SPOKES'
set interface 'TO_SPOKES'
set dead-interval 40
set hello-interval 10
set mtu-ignore enable <----- Optional (set on Hub and Spokes if IPsec interface MTU is not matching).
set network-type point-to-multipoint
next
end
config network
edit 1
set prefix 172.16.103.0 255.255.255.0
next
edit 2
set prefix 10.10.10.0 255.255.255.0 <----- enable OSPF for the VPN overlay subnet.
next
end
end
Notes:
- It is mandatory to set the hello-interval and dead-interval on the Hub's ospf-interface configuration entry since the default interval settings for network-type point-to-multipoint are different from network-type point-to-point used on the Spoke FortiGates (30 hello/120 dead vs. 10 hello/40 dead respectively). If these intervals do not match between Hub and Spoke then OSPF neighborships will not establish (they will not even enter the Init state).
- The network-type point-to-multipoint is necessary for the Hub FortiGate since the singular dial-up tunnel breaks out to multiple point-to-point connections with the Spokes. It is not necessary to configure entries under the config neighbor sub-section for this deployment.
Configuration on the Spoke:
IPsec Tunnel Interface configuration:
config system interface
edit 'TO_HUB'
set vdom 'root'
set allowaccess ping
set type tunnel
set interface 'port6'
next
end
Note:
There is no need for manual IP address assignment on the Spokes since the Hub FortiGate will dynamically assign an IP address via mode-config.
IPsec VPN configuration:
config vpn ipsec phase1-interface
edit 'TO_HUB'
set interface 'port6'
set keylife 3600
set mode aggressive
set peertype any
set net-device enable <--- See Notes below
set exchange-interface-ip enable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dhgrp 14
set remote-gw 192.168.103.1
set psksecret ENC my_encrypted password
next
end
config vpn ipsec phase2-interface
edit 'TO_HUB'
set phase1name 'TO_HUB'
set proposal aes256-sha256
set dhgrp 14
set auto-negotiate enable <----- Spoke will automatically bring up Phase 2 without waiting for user traffic.
set keylifeseconds 1800
next
end
Notes:
- For Spokes, net-device must be set to enable when using SD-WAN and ADVPN, as SD-WAN relies on separate kernel interfaces being created for the VPN shortcut tunnels to function properly.
- In this scenario, there is no ADVPN being utilized (just a more simplistic hub-and-spoke topology), and so net-device can be safely set to disable if preferred (though there is no downside to using net-device enable on the Spokes).
OSPF configuration:
config router ospf
set router-id 10.10.10.2
config area
edit 0.0.0.0
next
end
config ospf-interface
edit 'TO_HUB'
set interface 'TO_HUB'
set mtu-ignore enable <--- Optional (set on Hub and Spokes if IPsec interface MTU is not matching)
set network-type point-to-point
next
end
config network
edit 1
set prefix 172.16.104.0 255.255.255.0
next
edit 2
set prefix 10.10.10.0 255.255.255.0 <--- enable OSPF for the VPN overlay subnet.
next
end
end
Note:
Spokes are set to network-type point-to-point since they only form neighborships back to the Hub FortiGate (the dialup VPN is a non-broadcast network, and so Spokes will not form neighborships with other Spokes).
Result:
Once the above configurations are applied to the Hub and Spoke, the Spoke FortiGates will be able to:
- Establish an IPsec tunnel.
- Receive an IP address dynamically from the Hub FortiGate.
- Establish a Full OSPF neighborship via Multicast to the Hub FortiGate.
get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.10.10.2 1 Full/ - 00:00:39 10.10.10.2 TO_SPOKES
|
