Configuring the Hub FortiGate
- Using the CLI, configure phase 1 parameters.
The auto-discovery commands enable sending and receiving shortcut messages to spokes. The hub is responsible for letting the spokes know that they should establish those tunnels.
Aggressive mode is not supported for ADVPN in 5.6. It is supported in 6.0.1 and higher.
config vpn ipsec phase1-interface
edit "ADVPN"
set type dynamic
set interface "wan1"
set proposal des-sha1
set add-route disable
set net-device enable
set dhgrp 2
set auto-discovery-sender enable
set psksecret fortinet
next
end
- Configure the phase 2 parameters using a standard phase 2 configuration.
config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal des-sha1
next
end
- Configure the tunnel interface IP.
ADVPN requires that tunnel IPs be configured on each connecting device. The IP addresses must be unique for each peer. The hub needs to define a bogus remote-IP address (in this example, 10.10.10.254). This address should not be used in the topology and it is not considered part of the configuration for the hub.
config system interface
edit "ADVPN"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set type tunnel
set remote-ip 10.10.10.254
set interface "wan1"
next
end
- Configure iBGP and route-reflection.
iBGP is the overlay protocol for enabling ADVPN communications. We are using an arbitrary private AS number (in this example,
65000
), and configuring a dynamic client group to reduce provisioning requirements.This example advertises our LAN network directly (the
config network
command). Another option is to use route redistribution.config router bgp
set as 65000
set router-id 10.10.10.1
config neighbor-group
edit "ADVPN-PEERS"
set remote-as 65000
set route-reflector-client enable
set next-hop-self enable
next
end
config neighbor-range
edit 0
set prefix 10.10.10.0 255.255.255.0
set neighbor-group "ADVPN-PEERS"
next
end
config network
edit 0
set prefix 192.168.1.0 255.255.255.0
next
end
end
- Configure basic policies to allow traffic to flow between the local network and the ADVPN VPN topology. To allow traffic between spokes in an ADVPN setup, create a policy allowing spoke-to-spoke communications.
config firewall policy
edit 0
set name "OUT ADVPN"
set srcintf "lan"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set status enable
next
edit 0
set name "IN ADVPN"
set srcintf "ADVPN"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set status enable
next
edit 0
set name "ADVPNtoADVPN"
set srcintf "ADVPN"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set status enable
next
end