Fortinet black logo

Cookbook

5.6.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0

Configuring ADVPN

Configuring ADVPN

Auto Discovery VPN (ADVPN) is an IPsec technology based on an IETF RFC draft (Auto Discovery VPN Protocol). ADVPN allows a traditional hub and spoke VPN’s spokes to establish dynamic, on-demand direct tunnels between each other. This avoids routing through the topology’s hub device. ADVPN requires using dynamic routing. FortiOS 5.6 supports both BGP and RIP. This example focuses on using BGP and its route-reflector mechanism as the dynamic routing solution to use with ADVPN.

ADVPN’s main advantage is that it provides the full meshing capabilities to a standard hub and spoke topology. This reduces the provisioning effort required for full spoke-to-spoke, low-delay reachability, and addressing the scalability issues associated with large, fully meshed VPN networks.

BGP (and specifically iBGP) is a good fit for ADVPN as its route reflector mechanism resides on the VPN hub device and mirrors routing information from each spoke peer to each other. Furthermore, dynamic group peers result in near zero-touch hub provisioning when a new spoke is introduced in the topology.

While the static configuration involves both spoke FortiGate units to connect to the hub FortiGate, Spoke A can establish a dynamic on-demand shortcut IPsec tunnel to Spoke B (and vice versa) if a host behind either spoke attempts to reach a host behind the other spoke. After configuration, the verification step shows reachability from 192.168.2.1 (Spoke A) to 192.168.3.1 (Spoke B) over the dynamically created shortcut link.

This example uses CLI since BGP and ADVPN are best done using CLI. This example requires that basic IP and default routing has been completed on the devices.

Previous
Next

Configuring ADVPN

Auto Discovery VPN (ADVPN) is an IPsec technology based on an IETF RFC draft (Auto Discovery VPN Protocol). ADVPN allows a traditional hub and spoke VPN’s spokes to establish dynamic, on-demand direct tunnels between each other. This avoids routing through the topology’s hub device. ADVPN requires using dynamic routing. FortiOS 5.6 supports both BGP and RIP. This example focuses on using BGP and its route-reflector mechanism as the dynamic routing solution to use with ADVPN.

ADVPN’s main advantage is that it provides the full meshing capabilities to a standard hub and spoke topology. This reduces the provisioning effort required for full spoke-to-spoke, low-delay reachability, and addressing the scalability issues associated with large, fully meshed VPN networks.

BGP (and specifically iBGP) is a good fit for ADVPN as its route reflector mechanism resides on the VPN hub device and mirrors routing information from each spoke peer to each other. Furthermore, dynamic group peers result in near zero-touch hub provisioning when a new spoke is introduced in the topology.

While the static configuration involves both spoke FortiGate units to connect to the hub FortiGate, Spoke A can establish a dynamic on-demand shortcut IPsec tunnel to Spoke B (and vice versa) if a host behind either spoke attempts to reach a host behind the other spoke. After configuration, the verification step shows reachability from 192.168.2.1 (Spoke A) to 192.168.3.1 (Spoke B) over the dynamically created shortcut link.

This example uses CLI since BGP and ADVPN are best done using CLI. This example requires that basic IP and default routing has been completed on the devices.

Previous
Next