| Description |
This article describes the use case of Network-IDs to establish multiple ADVPN Shortcut tunnels between the same underlay IPs on spokes. |
| Scope | FortiOS |
| Solution |
Requirements: CLI and IKEv2.
Without network-id not more than one overlay tunnel can be established with the same pair of underlay IP addresses:
FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <----Not possible.
With network-id multiple overlay tunnels over the same pair of underlay IP addresses are possible. FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B<---- possible
Use case of Network_IDs: With ADVPN , it is possible to leverage the Network-ids to configure multiple shortcut tunnels on the Branches those only have single ISPs.
Branch1(port1:x.x.x.x)---Advpn1---(port:y.y.y.y) Branch2 Branch1(port1:x.x.x.x)---Advpn2---(port:y.y.y.y) Branch2
Example: 1) Branch1 and Branch2 have a single Internet access and Hub has two Internet accesses (ISPs). 2) Two overlay tunnels are built between each Branch and the Hub Advpn1 and Advpn2.
3) Initially traffic from the Branch1 to Branch2 will pass via B1---Advpn1---HUB--Advpn1--B2. 4) The Hub will facilitate a shortcut tunnel negotiation between Branch1 and Branch2 over Advpn1. - A shortcut tunnel over Advpn1 is established between Branch1 and Branch2. B1(port1)==Shortcut_advpn1==(port1)B2. - Traffic from the Branch1 to Branch2 will traverse over the Shortcut _Advpn1.
5) If ISP-1 on the HUB goes down: - The Parent tunnel between Hub(ISP-1) and Branch1 will go down and same will happen between Hub(ISP-1) and Branch2. - However the Shortcut tunnel B1(port1)====Shortcut_advpn1====(port1)B2 will stay up as the lifetime of an ADVPN shortcut is independent of the lifetime of its original parent tunnel. - Branch1↔Hub and Branch2↔Hub BGP peering over advpn1 go down.
6) Routing between B1 and B2 converge over advpn2 via the Hub: - Traffic from B1 to B2 flows through the Hub since there is no shortcut yet between B1 and B2 over advpn2.
7) Hub will try to facilitate a shortcut tunnel between Branch1 and Branch2 over Advpn2.
If Network-id is configured: Shortcut over advpn2 will established between Branch1 and Branch2 over Advpn2: - Shortcuts for advpn2 and advpn1 are both established over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1. - These two 'overlapping' shortcuts can be simultaneously established because different network-id are configured for each overlay tunnel. - After routing has converged, traffic flows through the advpn2 shortcut:
B1(port1:x.x.x.x)---Shortcut_advpn1---(port:y.y.y.y) B2 B1(port1:x.x.x.x)---Shortcut_advpn2---(port:y.y.y.y) B2
If Network-id is not configured: Shortcut-offer over advpn2 is ignored by Branch1 and Branch2.
- Because there already exists a shortcut (advpn1) over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1. Two 'overlapping' shortcuts cannot be simultaneously established without configuring different network-id for each overlay tunnel. - As long as Advpn1 shortcut is up, if Branch1 send any traffic to Branch2 over Advpn2 it will go via a hub as no shortcut tunnels between both Branches will get established over Advpn2
Network_IDs configuration. On Hub side:
# config vpn ipsec phase1-interface edit "advpn1" set type dynamic set interface "port1" set ike-version 2 set network-overlay enable set network-id 1 ... next edit "advpn2" set type dynamic set interface "port2" set ike-version 2 set network-overlay enable set network-id 2 ... next end
On Spokes:
# config vpn ipsec phase1-interface edit "advpn1" set ike-version 2 set interface "port1" set remote-gw x.x.x.x set network-overlay enable set network-id 1 ... next edit "advpn2" set ike-version 2 set interface "port1" set remote-gw y.y.y.y set network-overlay enable set network-id 2 ... next end
Notes: - As IKEv1 does not support Network_IDs. - For IKEv1 Shortcut tunnels dependency can be enabled so that once the parent tunnel goes down, the Shortcut tunnel over that parent tunnel will also go down. |
