ADVPN with RIP as the routing protocol

This is a sample configuration of ADVPN with RIP as routing protocol. The following options must be enabled for this configuration:

  • On the hub FortiGate, IPsec phase1-interface net-device disable must be run.

  • RIP must be used between the hub and spoke FortiGates.

  • split-horizon-status enable must be run on the hub FortiGate.

To configure ADVPN with RIP as the routing protocol using the CLI:
  1. In the CLI, configure hub FortiGate's WAN, internal interface, and static route:

    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end
  2. Configure the hub FortiGate:

    1. Configure the hub FortiGate IPsec phase1-interface and phase2-interface:

      config vpn ipsec phase1-interface
          edit "advpn-hub"
              set type dynamic
              set interface "port9"
              set peertype any
              set net-device disable
              set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
              set add-route disable
              set dpd on-idle
              set auto-discovery-sender enable
              set psksecret sample
              set dpd-retryinterval 5
          next
      end
      config vpn ipsec phase2-interface
          edit "advpn-hub"
              set phase1name "advpn-hub"
              set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
          next
      end