Configuring overlay (Edge)
This section leverages CLI Templates once again to define the IPsec tunnels that will function as our overlay. Four new Meta Fields are created to be used with two previously defined Meta Fields.
Following is a summary of the tasks required to configure the overlay:
- In Device Manager, create a new CLI template to configure IPsec tunnels. See Creating a CLI template.
- Add the template to a CLI template group. See Adding the template to a CLI template group.
- Define four new Meta Fields. See Defining Meta Fields.
Previously defined Meta Fields will be used in the CLI template as well.
Creating a CLI template
In this section, you'll create a CLI template called 01-Edge-Overlay in the Device Manager module. For more information on how to create CLI Templates, see the FortiManager Administration Guide > CLI Templates chapter.
This CLI template will configure static IPSEC overlay tunnels that the Edge devices will establish to the Hub, over each of the underlay transports. Most of the parameters used in Edge configuration must correspond to the Dial-Up IPSEC endpoints that we have configured on the Hub. You should pay attention to the following guidelines:
- Create a separate static IPSEC tunnel to the Hub over each underlay transport
- Use IKEv2 with Mode Config, in order to automatically receive the tunnel IP addresses from the Hub
- Enable certificate-based authentication (use “Edge” certificate, matching the name of the Certificate Template created earlier)
- Disable add-route feature, since the routing will be handled by BGP
- Use net-device enable mode (this is the only mode supported for ADVPN shortcut monitoring)
- Enable ADVPN receiver with shortcuts set to dependent mode, which is the only mode supported together with IKEv2 Mode Config
- Enable network-overlay feature and set the Network ID to match the one set on the Hub
- Set the right remote-gw IP address, using the corresponding underlay IP addresses of the Hub
Following is the content of this CLI Template in our example topology, and it follows all the above guidelines:
config vpn ipsec phase1-interface
edit "H1_INET"
set interface $(inet-intf)
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set idle-timeout enable
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id $(h1-inet-id)
set remote-gw $(h1-inet-ip)
set certificate "Edge"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
edit "H1_MPLS"
set interface $(mpls-intf)
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set idle-timeout enable
set auto-discovery-receiver enable
set auto-discovery-shortcuts dependent
set network-overlay enable
set network-id $(h1-mpls-id)
set remote-gw $(h1-mpls-ip)
set certificate "Edge"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
end
config vpn ipsec phase2-interface
edit "H1_INET"
set phase1name "H1_INET"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
edit "H1_MPLS"
set phase1name "H1_MPLS"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
end
config system interface
edit "H1_INET"
set vdom "root"
set allowaccess ping
set type tunnel
set interface $(inet-intf)
next
edit "H1_MPLS"
set vdom "root"
set allowaccess ping
set type tunnel
set interface $(mpls-intf)
next
end
The following Meta Fields are used:
|
Meta Field |
Description |
|---|---|
|
inet-intf |
Internet interface |
|
mpls-intf |
MPLS interface |
|
h1-inet-id |
Network ID for the Internet overlay, as defined on the Hub |
|
h1-inet-ip |
Underlay (WAN) IP of the Internet link on the Hub |
|
h1-mpls-id |
Network ID for the MPLS overlay, as defined on the Hub |
|
h1-mpls-ip |
Underlay (WAN) IP of the MPLS link on the Hub |
*You may have already created the inet-intf and mpls-intf Meta Fields. If this is the case, you do not need to create them again.
|
Note that the values of these Meta Fields will be identical for all Edge devices connecting to the same Hub. Hence, if the goal is to build just a single Hub-and-Spoke topology, there is no need to define these Meta Fields. The right values can be simply “hard-coded” into the CLI templates. However, we will guide you to build a more generic and reusable set of templates. |
To create a CLI template:
- In FortiManager, go to Device Manager > Provisioning Templates > CLI Template.
- From the Create New menu, select CLI Template, and create a new template called 01-Edge-Overlay.
You can also import a template from an external file by using the Import CLI Template button.
Adding the template to a CLI template group
In this section, you'll create a CLI Template Group called Edge-Template, and add the overlay CLI template to the CLI Template Group.
To add the template to the CLI template group:
- In FortiManager, go to Device Manager > Provisioning Templates > CLI Template.
- From the Create New menu, select CLI Template Group, and create a new CLI Template Group called Edge-Template.
- Add the 01-Edge-Overlay CLI template to the group.
Defining Meta Fields
To define Meta Fields:
- In FortiManager, go to System Settings > Advanced > Meta Fields.
- Click Create New in the toolbar.
The Create New Meta Fields pane is displayed.
- Create the following Meta Fields:
For all Meta Fields, set Object to Device, and set Importance to Optional.
Meta Field
Description
inet-intf
Internet interface
mpls-intf
MPLS interface
h1-inet-id
Network ID for the Internet overlay, as defined on the Hub
h1-inet-ip
Underlay (WAN) IP of the Internet link on the Hub
h1-mpls-id
Network ID for the MPLS overlay, as defined on the Hub
h1-mpls-ip
Underlay (WAN) IP of the MPLS link on the Hub