This article describes how to configure ADVPN which Hub assigns tunnel IP addresses to spokes automatically.
Scope
FortiGate.
Solution
The topology in this example is ADVPN Hub and Spokes as per the above diagram.
- Port1 is the WAN link for all devices.
- 10.10.1.0/24 is used for the ADVPN topology. Hub will assign 10.10.1.x to spokes.
- BGP is the routing protocol.
- 10.177.0.0/20 is the local network behind the Hub. 10.207.0.0/22 and 10.227.0.0/20 are local networks behind spokes.
To configure Hub:
config vpn ipsec phase1-interface edit "Hub-to-Spokes" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-sender enable set ipv4-start-ip 10.10.1.3 set ipv4-end-ip 10.10.1.254 set ipv4-netmask 255.255.255.0 set psksecret <pre-shared key> end config vpn ipsec phase2-interface edit "Hub-to-Spokes" set phase1name "Hub-to-Spokes" set proposal aes256-sha256 next end config system interface edit "Hub-to-Spokes" set vdom "root" set ip 10.10.1.1 255.255.255.255 set type tunnel set remote-ip 10.10.1.2 255.255.255.0 set snmp-index 15 set interface "port1" next end config router bgp set as 65400 config neighbor-group edit "ADVPN" set advertisement-interval 1 set activate6 disable set link-down-failover enable set remote-as 65400 set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.10.1.0 255.255.255.0 set neighbor-group "ADVPN" next end config network edit 1 set prefix 10.177.0.0 255.255.240.0 next edit 2 set prefix 10.10.1.0 255.255.255.0 next end end
To configure Spoke1:
config vpn ipsec phase1-interface edit "Spokes-to-Hub" set interface "port1" set ike-version 2 set peertype any set net-device enable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-receiver enable set auto-discovery-shortcuts dependent set remote-gw 10.47.4.65 set psksecret <pre-shared key> next end config vpn ipsec phase2-interface edit "Spokes-to-Hub" set phase1name "Spokes-to-Hub" set proposal aes256-sha256 next end config system interface edit "Spokes-to-Hub" set vdom "root" set allowaccess ping set type tunnel set snmp-index 15 set interface "port1" next end config router bgp set as 65400 config neighbor edit "10.10.1.1" set activate6 disable set remote-as 65400 next end config network edit 1 set prefix 10.207.0.0 255.255.240.0 next end end
To configure Spoke2:
config vpn ipsec phase1-interface edit "Spokes-to-Hub" set interface "port1" set ike-version 2 set peertype any set net-device enable set mode-cfg enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-receiver enable set auto-discovery-shortcuts dependent set remote-gw 10.47.4.65 set psksecret <pre-shared key> next end config vpn ipsec phase2-interface: edit "Spokes-to-Hub" set phase1name "Spokes-to-Hub" set proposal aes256-sha256 next end config system interface edit "Spokes-to-Hub" set vdom "root" set allowaccess ping set type tunnel set snmp-index 15 set interface "port1" next end config router bgp set as 65400 config neighbor edit "10.10.1.1" set activate6 disable set remote-as 65400 next end config network edit 1 set prefix 10.227.0.0 255.255.240.0 next end end
To verify Hub assigned IP address to spokes:
Use the command ‘diagnose vpn ike gateway’.
In this example, Hub assigned 10.10.1.3 and 10.10.1.4 to spokes.
FortiGate_Hub # diagnose vpn ike gateway vd: root/0 name: Hub-to-Spokes_1 version: 2 interface: port1 3 addr: 10.47.4.65:500 -> 10.47.1.243:500 tun_id: 10.10.1.4/::10.0.3.218 remote_location: 0.0.0.0 network-id: 0 transport: UDP virtual-interface-addr: 10.10.1.1 -> 10.10.1.2 created: 2673s ago peer-id: 10.47.1.243 peer-id-auth: no assigned IPv4 address: 10.10.1.4/255.255.255.0 auto-discovery: 1 sender pending-queue: 0 PPK: no IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/2 established 1/2 time 0/0/0 ms id/spi: 1022 1e416d0d47ecc700/ca1908b355cf43f6 direction: responder status: established 2673-2673s ago = 10ms proposal: aes256-sha256 child: no SK_ei: 7b70a59900a51025-0e99105baf025f7c-abee7183c23a8925-3da0ef12b68a821d SK_er: f9152ad12fc5d2a2-b60b74716c4ed75a-ebcc506485530f8c-50763fa2ea96861e SK_ai: e82e0854762af950-02dcafc18e76a21e-5b4cb2b8cd26855c-a599c9c2f8375e2d SK_ar: fda183abf38f61a8-5e1b50ad86e116fe-8e2f5fa5d4d31c1d-472f2fc02bc84ef9 PPK: no message-id sent/recv: 17/13 QKD: no lifetime/rekey: 86400/83456 DPD sent/recv: 00000016/00000016 peer-id: 10.47.1.243 vd: root/0 name: Hub-to-Spokes_0 version: 2 interface: port1 3 addr: 10.47.4.65:500 -> 10.47.2.143:500 tun_id: 10.10.1.3/::10.0.3.219 remote_location: 0.0.0.0 network-id: 0 transport: UDP virtual-interface-addr: 10.10.1.1 -> 10.10.1.2 created: 2610s ago peer-id: 10.47.2.143 peer-id-auth: no assigned IPv4 address: 10.10.1.3/255.255.255.0 auto-discovery: 1 sender pending-queue: 0 PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/2 established 1/2 time 0/0/0 ms id/spi: 1023 3d63e2d967952c67/4fbe61adf9f2e003 direction: responder status: established 2610-2610s ago = 0ms proposal: aes256-sha256 child: no SK_ei: 3ea8ed157d7cb2a3-4a49bb650afa93d8-0f5a78d54d45274a-6caac86323b54a02 SK_er: 6f53d68d08e6c8c4-016fe4143060b53e-3930d9ff0a437754-2eec7af432dc5b9e SK_ai: 7e12babd11fb8fda-730f3cf419890822-1847db43de66efaa-3f454a068109a376 SK_ar: efa2b9989ffa35d8-c0404c432c1a9c4f-2b64b3fc904874a0-80a2206ec5f782fd PPK: no message-id sent/recv: 389/25 QKD: no lifetime/rekey: 86400/83519 DPD sent/recv: 00000000/00000000 peer-id: 10.47.2.143 FortiGate_Hub # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 10.47.15.254, port1, [1/0] C 10.10.1.0/24 is directly connected, Hub-to-Spokes C 10.10.1.1/32 is directly connected, Hub-to-Spokes C 10.47.0.0/20 is directly connected, port1 C 10.177.0.0/20 is directly connected, port2 B 10.207.0.0/20 [200/0] via 10.10.1.3 (recursive is directly connected, Hub-to-Spokes), 00:11:09, [1/0] B 10.227.0.0/20 [200/0] via 10.10.1.4 (recursive is directly connected, Hub-to-Spokes), 00:12:52, [1/0]