Description
This article describes how to configure the setup of SD-WAN for ADVPN.
With this feature, SD-WAN service rules can utilize the shortcut VPN to forward traffic between spokes.
Previously, spoke-to-spoke traffic could only be forwarded by the hub, and could not take advantage of the ADVPN feature.
Scope
FortiGate.
Solution
This user ADVPN with SD-WAN scenario uses two hubs.
Each spoke connects to two ISPs and establishes VPN tunnels with each hub.
SD-WAN is configured on the spokes and uses two VPN interfaces as members with rules to control traffic to other spokes via the ADVPN shortcut VPN interfaces.
To configure a hub.
- Configure the IPsec Tunnel Interfaces.
config vpn ipsec phase1-interface
edit "advpn-hub"
set type dynamic
set interface "port9"
set peertype anyset net-device disable <----- Recommended to 'disable' in the hub (no additional tunnel needed)
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable <----- Required to send shortcuts to the Spokes
set tunnel-search nexthop
set psksecret sample
set dpd-retryinterval 5
next
end
Note: Tunnel-search option is no longer available from 7.0.0 and above because tunnels are now identified by the tunnel ID and referenced in the routing table. See Dedicated tunnel ID for IPsec tunnels.
config vpn ipsec phase2-interface
edit "advpn-hub"
set phase1name "advpn-hub"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
next
end
edit "advpn-hub"
set phase1name "advpn-hub"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
next
end
-
Configure firewall policies:config firewall policyedit 1
set name "spoke2hub"
set srcintf "advpn-hub"
set dstintf "port10"
set srcaddr "all"
set dstaddr "11.11.11.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "spoke2spoke"
set srcintf "advpn-hub"
set dstintf "advpn-hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"next
end - Configure the VPN interface:
config system interface
edit "advpn-hub"
set ip 10.10.100.254 255.255.255.255
set remote-ip 10.10.100.253 255.255.255.0
next
end - Configure BGP:
config router bgp
set as 65412
set as 65412
set additional-path enable <----- Required to select/send multiple options for SD-WAN route manipulation
set additional-path-select 255 <----- Required to select/send multiple options for SD-WAN route manipulation
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65412
set route-reflector-client enable <----- Required to send received spoke routes to other spokes
edit "advpn"
set link-down-failover enable
set remote-as 65412
set route-reflector-client enable <----- Required to send received spoke routes to other spokes
set additional-path send <----- Sends multiple routes towards spokes
set adv-additional-path 255
next
end
config neighbor-range
edit 1
set prefix 10.10.100.0 255.255.255.0
set neighbor-group "advpn"
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
end
end
To configure a spoke.
- Configure the IPsec phase1 and phase2 interfaces:
config vpn ipsec phase1-interface
edit "spoke1"
set interface "wan1"
set peertype any
set net-device enable <---- Required for creating individual Interface (shortcuts).
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable <----- Required for receiving Shortcut offers.
set remote-gw 11.1.1.11
set psksecret sample
set dpd-retryinterval 5
next
edit "spoke1-2"
set interface "wan2"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 11.1.2.11
set monitor "spoke1"
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "spoke1"
set phase1name "spoke1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke1-2"
set phase1name "spoke1_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
edit "spoke1"
set interface "wan1"
set peertype any
set net-device enable <---- Required for creating individual Interface (shortcuts).
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable <----- Required for receiving Shortcut offers.
set remote-gw 11.1.1.11
set psksecret sample
set dpd-retryinterval 5
next
edit "spoke1-2"
set interface "wan2"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 11.1.2.11
set monitor "spoke1"
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "spoke1"
set phase1name "spoke1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke1-2"
set phase1name "spoke1_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
-
Configure firewall policies:config firewall policy
edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "spoke1" "spoke1-2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound_advpn"
set srcintf "spoke1" "spoke1-2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end -
Configure the VPN interface:config system interface
edit "spoke1"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
edit "spoke1-2"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end -
Configure BGP:
config router bgp
set as 65412
set as 65412
set ibgp-multipath enable <----- Installs multiple ECMP routes, required to have options set additional-path-select 255
config neighbor
edit "10.10.100.254"
set advertisement-interval 1
set link-down-failover enable
set remote-as 65412 set additional-path receive <----- Allows reception of multiple options/paths.
next
edit "10.10.200.254"
set advertisement-interval 1
set link-down-failover enable
set remote-as 65412
set additional-path receive
next
end
config network
edit 1
set prefix 10.1.100.0 255.255.255.0
next
end
end
-
Configure SD-WAN:
config system virtual-wan-link
set status enable
config members
edit 1
set interface "vd2-1"
next
edit 2
set interface "vd2-2"
next
end
config health-check
edit "ping"
set server "11.11.11.11"
set members 1 2
end
next
end
config service
edit 1
set member 1 <----- SWAN interface ID. In the example, it is 'vd2-1'.
set dst "x.x.x.x" <----- Destination network that is going to be routed via this member.
next
edit 2
set member 2 <----- SWAN interface ID. In the example, it is 'vd2-2'.
set dst "y.y.y.y" <----- Destination network that is going to be routed via this member.
next
end
end
Notes:
When using 'virtual-wan-link' for WAN load balancing with SD-WAN and then applying Fabric Overlay Orchestrator (FOO), this creates an additional SD-WAN zone for the FOO and therefore the SD-WAN rules need to be in the correct order, otherwise traffic is routed incorrectly.
Related document:
SD-WAN Resource List
