Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akristof
Staff
Staff

Created on ‎10-03-2022 12:39 AM Edited on ‎06-17-2025 01:18 AM By Community Manager

Article Id 225484

Technical Tip: Policy route on ADVPN HUB with multiple overlays

Description

 

This article describes the best practice for HUB in the ADVPN scenario with multiple overlays. The focus will be on HUB because ADVPN with SDWAN on HUB is not supported when this article is written.

It will be based on routing decisions of HUB which future shortcuts will be formed.

 

Scope

 

ADVPN with multiple overlays.

 

Solution

 

In this example, HUB has 2 ADVPN tunnels: advpn and advpn_b. Hub will have 2 routes for each subnet from each spoke to select.

 

akristof_0-1664780719063.png

 

If considering default behavior, when Spoke1 (192.168.1.0/24) sends traffic to Spoke2 (192.168.2.0/24) it will be received from one of the tunnels (which one, depends on the routing selection of Spoke1). The outgoing route that HUB will select depends on the load-balancing algorithm; most of the time, it is source-ip-based. In a normal scenario, this would be sufficient if expecting that the traffic will flow over the HUB.

 

But in the ADVPN scenario, it will be expected that a shortcut will be formed. The shortcut is formed based on the incoming and outgoing interface that the HUB will select. Make sure that the possibility and efficiency of shortcuts are always the highest.

 

Sometimes, it is possible to have one ADVPN tunnel over INET and a second over MPLS. In this case, the shortcut will not be formed, because usually it is not possible to route MPLS IPs over the Internet. It can also happen to have 2 different ISPs but traffic between them will work, but it can be more expensive, or traffic will have higher latency.

 

akristof_1-1664780765983.png

 

The result is that FortiGate will try to honor the decision of the Spoke that is sending the traffic and will use the same overlay for outgoing traffic. This will achieve that if the traffic comes from the ADVPN interface, it will be forwarded via advpn.

 

As it is policy-route, it will need to have a valid route in the routing-table. So, in case the destination spoke has only one overlay up, advpn_b then HUB will follow routing-table. Because of this, if traffic will stay on the same overlay, the chance of a successful shortcut is higher.

 

In v7.2.5+ and v7.4.0 is introduced a new command 'set auto-discovery-crossover' is introduced, enabling (default)/disabling.

This new command has been added under the 'config vpn ipsec phase1-interface' configuration to block or allow (default) setup of shortcut tunnels between different network IDs.


If the desired action is to restrict the shortcut between different overlays, then the config below needs to be used :

 

config vpn ipsec phase1-interface
     edit "advpn"
         set auto-discovery-crossover block
     next


     edit "advpn_b"
         set auto-discovery-crossover block
    next
end

Labels:
5791
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.