Configuring the Hub FortiGate

Using the CLI, configure phase 1 parameters.
The auto-discovery commands enable sending and receiving shortcut messages to spokes. The hub is responsible for letting the spokes know that they should establish those tunnels.
Aggressive mode is not supported for ADVPN in 5.6. It is supported in 6.0.1 and higher.
config vpn ipsec phase1-interface
edit "ADVPN"
set type dynamic
set interface "wan1"
set proposal des-sha1
set add-route disable
set net-device enable
set dhgrp 2
set auto-discovery-sender enable
set psksecret fortinet
next
end
Configure the phase 2 parameters using a standard phase 2 configuration.
config vpn ipsec phase2-interface
edit "ADVPN-P2"
set phase1name "ADVPN"
set proposal des-sha1
next
end
Configure the tunnel interface IP.
ADVPN requires that tunnel IPs be configured on each connecting device. The IP addresses must be unique for each peer. The hub needs to define a bogus remote-IP address (in this example, 10.10.10.254). This address should not be used in the topology and it is not considered part of the configuration for the hub.
config system interface
edit "ADVPN"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set type tunnel
set remote-ip 10.10.10.254
set interface "wan1"
next
end
Configure iBGP and route-reflection.
iBGP is the overlay protocol for enabling ADVPN communications. We are using an arbitrary private AS number (in this example, 65000), and configuring a dynamic client group to reduce provisioning requirements.
This example advertises our LAN network directly (the config network command). Another option is to use route redistribution.
config router bgp
set as 65000
set router-id 10.10.10.1
config neighbor-group
edit "ADVPN-PEERS"
set remote-as 65000
set route-reflector-client enable
set next-hop-self enable
next
end
config neighbor-range
edit 0
set prefix 10.10.10.0 255.255.255.0
set neighbor-group "ADVPN-PEERS"
next
end
config network
edit 0
set prefix 192.168.1.0 255.255.255.0
next
end
end
Configure basic policies to allow traffic to flow between the local network and the ADVPN VPN topology. To allow traffic between spokes in an ADVPN setup, create a policy allowing spoke-to-spoke communications.
config firewall policy
edit 0
set name "OUT ADVPN"
set srcintf "lan"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set status enable
next
edit 0
set name "IN ADVPN"
set srcintf "ADVPN"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set status enable
next
edit 0
set name "ADVPNtoADVPN"
set srcintf "ADVPN"
set dstintf "ADVPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set status enable
next
end

Using the CLI, configure phase 1 parameters.

The auto-discovery commands enable sending and receiving shortcut messages to spokes. The hub is responsible for letting the spokes know that they should establish those tunnels.

Aggressive mode is not supported for ADVPN in 5.6. It is supported in 6.0.1 and higher.

config vpn ipsec phase1-interface

edit "ADVPN"

set type dynamic

set interface "wan1"

set proposal des-sha1

set add-route disable

set net-device enable

set dhgrp 2

set auto-discovery-sender enable

set psksecret fortinet

end

Configure the phase 2 parameters using a standard phase 2 configuration.

config vpn ipsec phase2-interface

edit "ADVPN-P2"

set phase1name "ADVPN"

set proposal des-sha1

end

Configure the tunnel interface IP.

ADVPN requires that tunnel IPs be configured on each connecting device. The IP addresses must be unique for each peer. The hub needs to define a bogus remote-IP address (in this example, 10.10.10.254). This address should not be used in the topology and it is not considered part of the configuration for the hub.

config system interface

edit "ADVPN"

set vdom "root"

set ip 10.10.10.1 255.255.255.255

set type tunnel

set remote-ip 10.10.10.254

set interface "wan1"

end

Configure iBGP and route-reflection.

iBGP is the overlay protocol for enabling ADVPN communications. We are using an arbitrary private AS number (in this example, 65000), and configuring a dynamic client group to reduce provisioning requirements.

This example advertises our LAN network directly (the config network command). Another option is to use route redistribution.

config router bgp

set as 65000

set router-id 10.10.10.1

config neighbor-group

edit "ADVPN-PEERS"

set remote-as 65000

set route-reflector-client enable

set next-hop-self enable

end

config neighbor-range

edit 0

set prefix 10.10.10.0 255.255.255.0

set neighbor-group "ADVPN-PEERS"

end

config network

edit 0

set prefix 192.168.1.0 255.255.255.0

end

Configure basic policies to allow traffic to flow between the local network and the ADVPN VPN topology. To allow traffic between spokes in an ADVPN setup, create a policy allowing spoke-to-spoke communications.

config firewall policy

edit 0

set name "OUT ADVPN"

set srcintf "lan"

set dstintf "ADVPN"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

edit 0

set name "IN ADVPN"

set srcintf "ADVPN"

set dstintf "lan"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

edit 0

set name "ADVPNtoADVPN"

set srcintf "ADVPN"

set dstintf "ADVPN"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set status enable

end

Cookbook

Configuring the Hub FortiGate

Configuring the Hub FortiGate

Configuring the Hub FortiGate