This article describes a use case with Network-IDs to establish multiple ADVPN Shortcut tunnels between the same underlay IPs on spokes.

Requirements: CLI and IKEv2.

Without network-id not more than one overlay tunnel can be established with the same pair of underlay IP addresses:

FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B

FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <----- Not possible.

With network-id multiple overlay tunnels over the same pair of underlay IP addresses are possible.

FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B

FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B <----- Possible.

Use case of Network_IDs:

With ADVPN, it is possible to leverage the Network-ids to configure multiple shortcut tunnels on the Branches that only have single ISPs.

Branch1(port1:x.x.x.x)---Advpn1---(port:y.y.y.y) Branch2.

Branch1(port1:x.x.x.x)---Advpn2---(port:y.y.y.y) Branch2.

Example:

1. Branch1 and Branch2 have a single Internet access (ISP) and the Hub has two ISPs.
2. Two overlay tunnels are built between each Branch and the Hub Advpn1 and Advpn2.

3. Initially, traffic from the Branch1 to Branch2 will pass via B1---Advpn1---HUB--Advpn1--B2.
4. The Hub will facilitate a shortcut tunnel negotiation between Branch1 and Branch2 over Advpn1.

• A shortcut tunnel over Advpn1  is established between Branch1 and Branch2. B1(port1)==Shortcut_advpn1==(port1)B2.
• Traffic from the Branch1 to Branch2 will traverse over the Shortcut _Advpn1.

5. If ISP-1 on the HUB  goes down:

• The Parent tunnel between Hub(ISP-1) and Branch1 will go down and the same will happen between Hub(ISP-1) and Branch2.
• However, the Shortcut tunnel B1(port1)====Shortcut_advpn1====(port1)B2 will stay up as the lifetime of an ADVPN shortcut is independent of the lifetime of its original parent tunnel.
• Branch1↔Hub and Branch2↔Hub BGP peering over advpn1 go down.

6. Routing between B1 and B2 converge over advpn2 via the Hub:

• Traffic from B1 to B2 flows through the Hub since there is no shortcut yet between B1 and B2 over advpn2.

7. The Hub will try to facilitate a shortcut tunnel between Branch1 and Branch2 over Advpn2.
   If Network-id is configured: Shortcut over advpn2 will established between Branch1  and Branch2 over Advpn2:

• Shortcuts for advpn2 and advpn1 are both established over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1.
• These two 'overlapping' shortcuts can be simultaneously established because different network-id are configured for each overlay tunnel.
• After routing has converged, traffic flows through the advpn2 shortcut:

B1(port1:x.x.x.x)---Shortcut_advpn1---(port:y.y.y.y) B2.

B1(port1:x.x.x.x)---Shortcut_advpn2---(port:y.y.y.y) B2.

If Network-id is not configured: Shortcut-offer over advpn2 is ignored by Branch1 and Branch2.

• Because there already exists a shortcut (advpn1) over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1. Two 'overlapping' shortcuts cannot be simultaneously established without configuring different network-id for each overlay tunnel.
• As long as Advpn1 shortcut is up, if Branch1 sends any traffic to Branch2 over Advpn2, it will go through a hub as no shortcut tunnels between both Branches will be established over Advpn2

Network_IDs configuration.

On Hub side:

config vpn ipsec phase1-interface

    edit "advpn1"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set network-overlay enable

        set network-id 1

        ...

    next

    edit "advpn2"

        set type dynamic

        set interface "port2"

        set ike-version 2

        set network-overlay enable

        set network-id 2

        ...

    next

end

On Spokes:

config vpn ipsec phase1-interface

    edit "advpn1"

        set ike-version 2

        set interface "port1"

        set remote-gw x.x.x.x

        set network-overlay enable

        set network-id 1

        ...

    next

 edit "advpn2"

        set ike-version 2

        set interface "port1"

        set remote-gw y.y.y.y

        set network-overlay enable

        set network-id 2

        ...

    next

end

Note:

• IKEv1 does not support Network_IDs.
• For IKEv1 Shortcut tunnels, dependency can be enabled so that once the parent tunnel goes down, the Shortcut tunnel over that parent tunnel will also go down.
• Make sure the network IDs match to spoke and hub firewall, if there is a mismatch in the network ID, then the tunnel will get established to a different tunnel.
• Using IKEv2 network-id, it is possible to have multiple shortcuts between two Spokes even if there is a single Internet access on each Spoke.
• The network-id is not taken into account during shortcut (spoke to spoke tunnel) negotiation. It is possible for Spoke B1 which connects to HUB via network-id 1 to negotiate a direct shortcut tunnel with Spoke B2 which connects to the same HUB via network-id 2.
• Network-id is an overlay ID and not an ADVPN domain ID, it allows cross-overlay shortcuts.