VPN configurations

Two ADVPN tunnels, VPN1 and VPN2, are created on the hub for the WAN interfaces. VPN1 assigns IP addresses from 169.254.16.10 to 169.254.16.250 and VPN2 assigns IP addresses from 169.254.17.10 to 169.254.17.250. BGP neighbors are formed over the VPN overlays.

To configure the hub:

1. Configure the phase1 and phase2 settings for VPN1:

   config vpn ipsec phase1-interface
       edit "VPN1"
           set type dynamic
           set interface "port2"
           set ike-version 2
           set peertype any
           set net-device disable
           set mode-cfg enable
           set proposal aes256-sha256
           set add-route disable
           set dpd on-idle
           set auto-discovery-sender enable
           set network-overlay enable
           set network-id 1
           set ipv4-start-ip 169.254.16.10
           set ipv4-end-ip 169.254.16.250
           set ipv4-netmask 255.255.255.0
           set psksecret <secret>
           set dpd-retryinterval 60
       next
   end

   config vpn ipsec phase2-interface
       edit "VPN1"
           set phase1name "VPN1"
           set proposal aes256-sha256
       next
   end
   

2. Configure the phase1 and phase2 settings for VPN2:

   config vpn ipsec phase1-interface
       edit "VPN2"
           set type dynamic
           set interface "port3"
           set ike-version 2
           set peertype any
           set net-device disable
           set mode-cfg enable
           set proposal aes256-sha256
           set add-route disable
           set dpd on-idle
           set auto-discovery-sender enable
           set network-overlay enable
           set network-id 2
           set ipv4-start-ip 169.254.17.10
           set ipv4-end-ip 169.254.17.250
           set ipv4-netmask 255.255.255.0
           set psksecret <secret>
           set dpd-retryinterval 60
       next
   end

   config vpn ipsec phase2-interface
       edit "VPN2"
           set phase1name "VPN2"
           set proposal aes256-sha256
       next
   end

To configure the branches:

1. Configure the phase1 and phase2 settings for HUB-VPN1:

   config vpn ipsec phase1-interface
       edit "HUB1-VPN1"
           set interface "port2"
           set ike-version 2
           set peertype any
           set net-device enable
           set mode-cfg enable
           set proposal aes256-sha256
           set add-route disable
           set localid "FGT-Branch1_ISP1"
           set idle-timeout enable
           set auto-discovery-receiver enable
           set network-overlay enable
           set network-id 1
           set remote-gw 192.168.100.2
           set psksecret <secret>
           set dpd-retrycount 2
           set dpd-retryinterval 2
       next
   end

   config vpn ipsec phase2-interface
       edit "HUB1-VPN1"
           set phase1name "HUB1-VPN1"
           set proposal aes256-sha256
           set auto-negotiate enable
       next
   end

2. Configure the phase1 and phase2 settings for HUB-VPN2:

   config vpn ipsec phase1-interface 
       edit "HUB1-VPN2"
           set interface "port3"
           set ike-version 2
           set peertype any
           set net-device enable
           set mode-cfg enable
           set proposal aes256-sha256
           set add-route disable
           set localid "FGT-Branch1_ISP2"
           set idle-timeout enable
           set auto-discovery-receiver enable
           set network-overlay enable
           set network-id 2
           set remote-gw 192.168.101.2
           set psksecret <secret>
           set dpd-retrycount 2
           set dpd-retryinterval 2
       next
   end

   config vpn ipsec phase2-interface
       edit "HUB1-VPN2"
           set phase1name "HUB1-VPN2"
           set proposal aes256-sha256
           set auto-negotiate enable
       next
   end
   

3. Repeat the configuration on all of the other branches.