Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
3x-t
New Contributor II

ADVPN - Split Tunnel

Sorry, probably this is a dummy question...

Obviously, I'm not so good with ADVPN and I also just started learning FortiGate as I got my first FortiGate and trying to build some network.
I'm not sure if it's possible and how to make split tunneling on my FortiGate. Our HQ doesn't have that good internet connection and I wouldn't like it that we have more troubles when we add all planned BO. For easier configuration, we chose to use ADVPN with BGP.
Btw. We have two BO with a second WAN that uses LTE (no public IP) and at the moment that BO has configuration on some Cisco routers to combine two WANs for better connectivity.

Thank you!

1 Solution
pciurea
Staff
Staff

Hello 3x-t

Welcome to this community. 

I want to let you know that from my point of view there are no dummy questions, not even dummy answers . I will try my best to not give you a dummy answer :).

 ADVPN would be defined by 2 main purposes:

1. achieving full mesh between the spokes

2.taking the throughput load off the hub by establishing spoke to spoke shortcut tunnels.

 

Lets talk about Split tunneling

Split tunneling by its purpose, beside the P2 selectors, would also add specific routes in the routing table (to steer specific traffic)- this is rendered useful in combination with ADVPN as routes need to be dynamically changed when a shortcut tunnel goes up.

As you already chosen the best path - BGP, BGP will be your Angel in the routing decision - will install routes in the routing table and dynamically change the outgoing interface in the routing table based on the next-hop reachability (either through the hub if no shortcut is created, either through the shortcut tunnel - this is a direct tunnel to the remote side).

 

There is a great Tech Tip that can help you understand the works behind this ADVPN - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195... - Make sure you download the pdfs attached to this Technical TIP

 

Hope ive been helpful

Regards

"Serenity now. Insanity later"

View solution in original post

4 REPLIES 4
pciurea
Staff
Staff

Hello 3x-t

Welcome to this community. 

I want to let you know that from my point of view there are no dummy questions, not even dummy answers . I will try my best to not give you a dummy answer :).

 ADVPN would be defined by 2 main purposes:

1. achieving full mesh between the spokes

2.taking the throughput load off the hub by establishing spoke to spoke shortcut tunnels.

 

Lets talk about Split tunneling

Split tunneling by its purpose, beside the P2 selectors, would also add specific routes in the routing table (to steer specific traffic)- this is rendered useful in combination with ADVPN as routes need to be dynamically changed when a shortcut tunnel goes up.

As you already chosen the best path - BGP, BGP will be your Angel in the routing decision - will install routes in the routing table and dynamically change the outgoing interface in the routing table based on the next-hop reachability (either through the hub if no shortcut is created, either through the shortcut tunnel - this is a direct tunnel to the remote side).

 

There is a great Tech Tip that can help you understand the works behind this ADVPN - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195... - Make sure you download the pdfs attached to this Technical TIP

 

Hope ive been helpful

Regards

"Serenity now. Insanity later"
3x-t
New Contributor II

Thank you so much for your help!

Since all our BO are in the same city, I will try to get approval for upgrading our internet connection on one other BO where I can create seconds HUB.

So far all I can say is that FortiGate is great! Every day I learn something new, documentation is great, youtube videos...
My colleagues are working on a Windows domain controller to bring it up and we will start deploying our network. After that, I'm starting with VM FortiManager, SD-WAN, etc.
I'm a little bit scared of SD-WAN... still very new for me.

3x-t
New Contributor II

Hi pciurea,
I have one more question. Is it possible to have ADVPN and site-to-site VPN at the same time?
Thing is that we have three locations plus a boss house that don't need to access other BO and rarely use HQ servers, rather use internet connection for online meetings and some other things but sometimes need some files and services from HQ servers. For those locations, we would like to have a tunnel where we can split the internet. Now we are not sure if we can combine ADVPN for BO and those couple of sites with site-to-site VPN where internet and VPN are split. Any suggestion?

Thank you!

pciurea

Hello 3x-t

ADVPN can be mixed with any other tunnel types. So on the same device you can have ipsec tunnels with advpn enabled, but also ipsec tunnels with no relations to the advpn setup (like S2S or dialup vpn for windows clients). Its all resumed to the routing decision on which tunnel interface or plain interface the traffic is send out on.

So you need to make sure the routing is right - you can have as many configured ipsec tunnels (advpn or not) as you need.

 

Regarding SDWAN - its another great technology that, if configured properly, would give you a nice redundancy/load balancing capability. In newer releases SDWAN can also use BGP route-tags so its another great combination that you can take advantage of. Dont be scared of any Fortinet capabilities, try to implement your design, and if you run into trouble we have this great community (forum + support) that can help you. 

 

Cheers

"Serenity now. Insanity later"