Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JGaiser
New Contributor II

ADVPN Network Security

We are currently converting the topology of our network infrastructure from a semi-mesh IPSEC monstrosity to a ADVPN with BGP topology.

Currently, we use phase 2 settings to help isolate which networks can access other networks along with firewall rules.

With ADVPN, does phase 2 have to be 0.0.0.0 0.0.0.0, or can we be specific with which networks are in phase 2 without breaking route auto-discovery?

There are about 65 sites, 2 hubs.  We have SDWAN configured for point to multipoint.

3 REPLIES 3
atakannatak
New Contributor III

Hi @JGaiser ,

 

In an ADVPN setup with BGP, you can be specific with your Phase 2 selectors without breaking route auto-discovery. Unlike traditional IPsec VPNs where specific Phase 2 selectors are crucial for defining the subnets that can communicate over the VPN tunnel, ADVPN is designed to dynamically discover and establish direct tunnels between spokes based on the actual traffic and routing information.

 

Thus, you don't need to use 0.0.0.0/0 for Phase 2 selectors in an ADVPN setup. You can specify the exact networks to maintain control and isolation as you currently do with your semi-mesh IPsec configuration, while still benefiting from ADVPN's dynamic tunnel creation and BGP's route management.

 

https://docs.fortinet.com/document/fortigate/7.2.0/sd-wan-new-features/832351/phase-2-selectors-and-...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak
Atakan Atak
JGaiser
New Contributor II

Is this method just as scalable?

atakannatak
New Contributor III

Hi @JGaiser ,

 

Using specific subnets in Phase 2 selectors in an ADVPN setup can be scalable, but it requires careful planning and management. Here are some key points to consider for scalability:

 

Number of Tunnels: If you have a large number of spokes and each spoke has specific subnets that need to communicate with specific subnets on other spokes, you could end up with a large number of Phase 2 configurations. This can increase the complexity of the configuration and management of the VPN.
Dynamic Routing Protocol: Using a dynamic routing protocol like BGP helps manage the scalability by dynamically advertising and learning routes. This reduces the need for static routing configurations. However, ensure that your routing protocol is properly optimized to handle the scale of your network.
Resource Usage: More specific Phase 2 selectors can lead to more IPsec SAs, which can increase resource usage on your devices. Ensure that your devices have the necessary resources (CPU, memory, etc.) to handle the increased load.
Management Overhead: Managing a large number of specific Phase 2 selectors can be more challenging than using a broad 0.0.0.0/0 selector.
Security: Using specific Phase 2 selectors can enhance security by limiting which subnets can communicate over the VPN. This can be particularly important in larger networks where different segments may have different security requirements.

 

While using specific Phase 2 selectors in an ADVPN setup can be scalable, it requires careful planning, efficient use of dynamic routing protocols, and resource management to handle the complexity.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

Atakan Atak
Atakan Atak
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors