This article describes a use case with Network-IDs to establish multiple ADVPN Shortcut tunnels between the same underlay IPs on spokes.

Requirements: CLI and IKEv2.

Without the network-id setting, no more than one overlay tunnel can be established with the same pair of underlay IP addresses:

FGT-A(192.0.2.1)----------IPSec1-------(203.0.113.2)FGT-B.

FGT-A(192.0.2.1)----------IPSec2-------(203.0.113.2)FGT-B <----- Not possible.

With the use of the network-id setting, multiple overlay tunnels over the same pair of underlay IP addresses are possible.

FGT-A(192.0.2.1)----------IPSec1-------(203.0.113.2)FGT-B.

FGT-A(192.0.2.1)----------IPSec2-------(203.0.113.2)FGT-B <----- Possible.

Use case of Network IDs:

With ADVPN, it is possible to leverage the Network-ids to configure multiple shortcut tunnels on the branches that only have a single ISP.

Branch1(port1:x.x.x.x)---advpn1---(port:y.y.y.y) Branch2.

Branch1(port1:x.x.x.x)---advpn2---(port:y.y.y.y) Branch2.

Example:

1. Branch1 and Branch2 have a single Internet access (ISP) and the Hub has two ISPs.
2. Two overlay tunnels are built between each Branch and the Hub advpn1 and advpn2.

3. Initially, traffic from the Branch1 to Branch2 will pass via B1---advpn1---HUB--advpn1--B2.
4. The Hub will facilitate a shortcut tunnel negotiation between Branch1 and Branch2 over advpn1.

• A shortcut tunnel over advpn1 is established between Branch1 and Branch2. B1(port1)==Shortcut_advpn1==(port1)B2.
• Traffic from Branch1 to Branch2 will traverse over the Shortcut_advpn1.

5. If ISP-1 on the HUB goes down:

• The Parent tunnel between Hub(ISP-1) and Branch1 will go down, and the same will happen between Hub(ISP-1) and Branch2.
• However, the Shortcut tunnel B1(port1)====Shortcut_advpn1====(port1)B2 will stay up, as the lifetime of an ADVPN shortcut is independent of the lifetime of its original parent tunnel.
• Branch1↔Hub and Branch2↔Hub BGP peering over advpn1 goes down.

6. Routing between B1 and B2 converge over advpn2 via the Hub:

• Traffic from B1 to B2 flows through the Hub, since there is no shortcut yet between B1 and B2 over advpn2.

7. The Hub will try to facilitate a shortcut tunnel between Branch1 and Branch2 over advpn2.
   If Network-id is configured: Shortcut over advpn2 will establish between Branch1 and Branch2 over advpn2:

• Shortcuts for advpn2 and advpn1 are both established over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1.
• These two 'overlapping' shortcuts can be simultaneously established because different network-id are configured for each overlay tunnel.
• After routing has converged, traffic flows through the advpn2 shortcut:

B1(port1:x.x.x.x)---Shortcut_advpn1---(port:y.y.y.y) B2.

B1(port1:x.x.x.x)---Shortcut_advpn2---(port:y.y.y.y) B2.

If Network-id is not configured: Shortcut-offer over advpn2 is ignored by Branch1 and Branch2.

• Because there already exists a shortcut (advpn1) over the same underlay IP addresses, Branch1/port1 ↔ Branch2/port1. Two 'overlapping' shortcuts cannot be simultaneously established without configuring a different network-id for each overlay tunnel.
• As long as the advpn1 shortcut is up, if Branch1 sends any traffic to Branch2 over advpn2, it will go through a hub, as no shortcut tunnels between both Branches will be established over advpn2.

Network ID configuration.

On the Hub side:

config vpn ipsec phase1-interface

    edit "advpn1"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set network-overlay enable

        set network-id 1

        ...

    next

    edit "advpn2"

        set type dynamic

        set interface "port2"

        set ike-version 2

        set network-overlay enable

        set network-id 2

        ...

    next

end

On the Spokes:

config vpn ipsec phase1-interface

    edit "advpn1"

        set ike-version 2

        set interface "port1"

        set remote-gw x.x.x.x

        set network-overlay enable

        set network-id 1

        ...

    next

 edit "advpn2"

        set ike-version 2

        set interface "port1"

        set remote-gw y.y.y.y

        set network-overlay enable

        set network-id 2

        ...

    next

end

Notes:

• IKEv1 does not support Network IDs.
• For IKEv1 Shortcut tunnels, dependency can be enabled so that once the parent tunnel goes down, the Shortcut tunnel over that parent tunnel will also go down.
• Make sure the network IDs match to spoke and hub firewall; if there is a mismatch in the network ID, then the tunnel will get established to a different tunnel.
• Using the network ID on IKEv2, it is possible to have multiple shortcuts between two spokes, even if there is a single Internet access on each Spoke.
• The network ID is not taken into account during shortcut (spoke-to-spoke tunnel) negotiation. It is possible for Spoke B1, which connects to the HUB via network-id 1, to negotiate a direct shortcut tunnel with Spoke B2, which connects to the same HUB via network-id 2.
• The network ID is an overlay ID and not an ADVPN domain ID; it allows cross-overlay shortcuts.