Fortinet black logo

Cookbook

Results

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:190735
Download PDF

Results

Check the behavior of the configuration using CLI commands from Spoke A.

get router info routing-table bgp displays the learned routes from the topology. The recursive routing is a result of the spoke’s required static route. In this case, there has not been any traffic between our local subnet (192.168.2.0/24) and the other spoke’s subnet as the routes are both going through the hub.

B 192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:30:21

B 192.168.3.0/24 [200/0] via 10.0.0.3 (recursive via 10.0.0.1), 22:30:21

When you initiate a ping between both spokes, you see a different display of routing information – routing now goes through a newly established dynamic tunnel directly through the remote spoke rather than through the hub. The ping hiccup is the tunnel rerouting through a newly negotiated tunnel to the other spoke.

The routing information now displays the remote subnet as being available through the spoke directly, through interface ADVPN_0, a dynamically instantiated interface going to that spoke.

FG # execute ping-options source 192.168.2.1

FG # execute ping 192.168.3.1

PING 192.168.3.1 (192.168.3.1): 56 data bytes

64 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=38.3 ms

64 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=32.6 ms

Warning: Got ICMP 3 (Destination Unreachable)

64 bytes from 192.168.3.1: icmp_seq=2 ttl=255 time=43.0 ms

64 bytes from 192.168.3.1: icmp_seq=3 ttl=255 time=31.7 ms

64 bytes from 192.168.3.1: icmp_seq=4 ttl=255 time=31.2 ms

--- 192.168.3.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 31.2/35.3/43.0 ms

FG # get router info routing-table bgp

B 192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:34:13

B 192.168.3.0/24 [200/0] via 10.0.0.3, ADVPN_0, 00:02:28

The diagnose vpn tunnel list command gives more information. This example highlights aspects in the output which convey data specific to ADVPN, in this case, the auto-discovery flag and the child-parent relationship of new instantiated dynamic tunnel interfaces.

FG # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=ADVPN_0 ver=1 serial=a 10.1.1.2:0->10.1.1.3:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0

parent=ADVPN index=0

proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=604 auto-discovery=2

stat: rxp=7 txp=7 rxb=1064 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=42680/0B replaywin=2048 seqno=8 esn=0

life: type=01 bytes=0/0 timeout=43152/43200

dec: spi=9a487db3 esp=aes key=16 55e53d9fbc8dbeaa6df1032fbc80c4f6

ah=sha1 key=20 a1470452c6a444f26a070add087f0d970c18e3a7

enc: spi=3c37fea7 esp=aes key=16 8fd62a6745a9ba4fda062d4504b76851

ah=sha1 key=20 44c606f1ef1bf5739ba62f6572031aa956974d0a

dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064

------------------------------------------------------

name=ADVPN ver=1 serial=9 10.1.1.2:0->10.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0

proxyid_num=1 child_num=1 refcnt=22 ilast=8 olast=8 auto-discovery=2

stat: rxp=3120 txp=3120 rxb=399536 txb=191970

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=12

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=4833/0B replaywin=2048 seqno=5ba esn=0

life: type=01 bytes=0/0 timeout=43148/43200

dec: spi=9a487db2 esp=aes key=16 4f70d27edad656cfcacbae61b23d4b11

ah=sha1 key=20 b19ea87c90dd92d1cab58cbf24ae8fe12ee927cb

enc: spi=b3dde355 esp=aes key=16 efbb4440df75018610b4ba8f5756167d

ah=sha1 key=20 81cc9cee3bee1c2dba0eb1e7ac66e9d34b67bde9

dec:pkts/bytes=1465/90152, enc:pkts/bytes=1465/187560

------------------------------------------------------

Results

Check the behavior of the configuration using CLI commands from Spoke A.

get router info routing-table bgp displays the learned routes from the topology. The recursive routing is a result of the spoke’s required static route. In this case, there has not been any traffic between our local subnet (192.168.2.0/24) and the other spoke’s subnet as the routes are both going through the hub.

B 192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:30:21

B 192.168.3.0/24 [200/0] via 10.0.0.3 (recursive via 10.0.0.1), 22:30:21

When you initiate a ping between both spokes, you see a different display of routing information – routing now goes through a newly established dynamic tunnel directly through the remote spoke rather than through the hub. The ping hiccup is the tunnel rerouting through a newly negotiated tunnel to the other spoke.

The routing information now displays the remote subnet as being available through the spoke directly, through interface ADVPN_0, a dynamically instantiated interface going to that spoke.

FG # execute ping-options source 192.168.2.1

FG # execute ping 192.168.3.1

PING 192.168.3.1 (192.168.3.1): 56 data bytes

64 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=38.3 ms

64 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=32.6 ms

Warning: Got ICMP 3 (Destination Unreachable)

64 bytes from 192.168.3.1: icmp_seq=2 ttl=255 time=43.0 ms

64 bytes from 192.168.3.1: icmp_seq=3 ttl=255 time=31.7 ms

64 bytes from 192.168.3.1: icmp_seq=4 ttl=255 time=31.2 ms

--- 192.168.3.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 31.2/35.3/43.0 ms

FG # get router info routing-table bgp

B 192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:34:13

B 192.168.3.0/24 [200/0] via 10.0.0.3, ADVPN_0, 00:02:28

The diagnose vpn tunnel list command gives more information. This example highlights aspects in the output which convey data specific to ADVPN, in this case, the auto-discovery flag and the child-parent relationship of new instantiated dynamic tunnel interfaces.

FG # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=ADVPN_0 ver=1 serial=a 10.1.1.2:0->10.1.1.3:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0

parent=ADVPN index=0

proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=604 auto-discovery=2

stat: rxp=7 txp=7 rxb=1064 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=42680/0B replaywin=2048 seqno=8 esn=0

life: type=01 bytes=0/0 timeout=43152/43200

dec: spi=9a487db3 esp=aes key=16 55e53d9fbc8dbeaa6df1032fbc80c4f6

ah=sha1 key=20 a1470452c6a444f26a070add087f0d970c18e3a7

enc: spi=3c37fea7 esp=aes key=16 8fd62a6745a9ba4fda062d4504b76851

ah=sha1 key=20 44c606f1ef1bf5739ba62f6572031aa956974d0a

dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064

------------------------------------------------------

name=ADVPN ver=1 serial=9 10.1.1.2:0->10.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0

proxyid_num=1 child_num=1 refcnt=22 ilast=8 olast=8 auto-discovery=2

stat: rxp=3120 txp=3120 rxb=399536 txb=191970

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=12

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=4833/0B replaywin=2048 seqno=5ba esn=0

life: type=01 bytes=0/0 timeout=43148/43200

dec: spi=9a487db2 esp=aes key=16 4f70d27edad656cfcacbae61b23d4b11

ah=sha1 key=20 b19ea87c90dd92d1cab58cbf24ae8fe12ee927cb

enc: spi=b3dde355 esp=aes key=16 efbb4440df75018610b4ba8f5756167d

ah=sha1 key=20 81cc9cee3bee1c2dba0eb1e7ac66e9d34b67bde9

dec:pkts/bytes=1465/90152, enc:pkts/bytes=1465/187560

------------------------------------------------------