Created on 12-26-2022 11:30 PM Edited on 12-11-2023 08:27 AM By Stephen_G
Description |
This article describes a use case with Network-IDs to establish multiple ADVPN Shortcut tunnels between the same underlay IPs on spokes. |
Scope | FortiOS. |
Solution |
Requirements: CLI and IKEv2.
Without network-id not more than one overlay tunnel can be established with the same pair of underlay IP addresses:
FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <- Not possible.
With network-id multiple overlay tunnels over the same pair of underlay IP addresses are possible.
FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <- Possible.
Use case of Network_IDs: With ADVPN , it is possible to leverage the Network-ids to configure multiple shortcut tunnels on the Branches those only have single ISPs.
Branch1(port1:x.x.x.x)---Advpn1---(port:y.y.y.y) Branch2 Branch1(port1:x.x.x.x)---Advpn2---(port:y.y.y.y) Branch2
Example:
B1(port1:x.x.x.x)---Shortcut_advpn1---(port:y.y.y.y) B2 B1(port1:x.x.x.x)---Shortcut_advpn2---(port:y.y.y.y) B2
If Network-id is not configured: Shortcut-offer over advpn2 is ignored by Branch1 and Branch2.
Network_IDs configuration. On Hub side:
config vpn ipsec phase1-interface edit "advpn1" set type dynamic set interface "port1" set ike-version 2 set network-overlay enable set network-id 1 ... next edit "advpn2" set type dynamic set interface "port2" set ike-version 2 set network-overlay enable set network-id 2 ... next end
On Spokes:
config vpn ipsec phase1-interface edit "advpn1" set ike-version 2 set interface "port1" set remote-gw x.x.x.x set network-overlay enable set network-id 1 ... next edit "advpn2" set ike-version 2 set interface "port1" set remote-gw y.y.y.y set network-overlay enable set network-id 2 ... next end
Notes:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.