ADVPN with RIP as the routing protocol

This is a sample configuration of ADVPN with RIP as routing protocol. The following options must be enabled for this configuration:

• On the hub FortiGate, IPsec phase1-interface net-device disable must be run.

• RIP must be used between the hub and spoke FortiGates.

• split-horizon-status enable must be run on the hub FortiGate.

To configure ADVPN with RIP as the routing protocol using the CLI:

1. In the CLI, configure hub FortiGate's WAN, internal interface, and static route:

   config system interface
       edit "port9"
           set alias "WAN"
           set ip 22.1.1.1 255.255.255.0
       next
       edit "port10"
           set alias "Internal"
           set ip 172.16.101.1 255.255.255.0
       next
   end   
   config router static
       edit 1
           set gateway 22.1.1.2
           set device "port9"
       next  
   end

2. Configure the hub FortiGate:

   1. Configure the hub FortiGate IPsec phase1-interface and phase2-interface:

      config vpn ipsec phase1-interface
          edit "advpn-hub"
              set type dynamic
              set interface "port9"
              set peertype any
              set net-device disable
              set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
              set add-route disable
              set dpd on-idle
              set auto-discovery-sender enable
              set psksecret sample
              set dpd-retryinterval 5
          next
      end
      config vpn ipsec phase2-interface
          edit "advpn-hub"
              set phase1name "advpn-hub"
              set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
          next
      end

      When net-device is disabled, a tunnel ID is generated for each dynamic tunnel. This ID, in the form of an IP address, is used as the gateway in the route entry to that tunnel. The tunnel-search option is removed in FortiOS 7.0.0 and later.

   2. Configure the hub FortiGate firewall policy:

      config firewall policy
          edit 1
              set name "spoke2hub"
              set srcintf "advpn-hub"
              set dstintf "port10"
              set srcaddr "all"
              set dstaddr "172.16.101.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "spoke2spoke"
              set srcintf "advpn-hub"
              set dstintf "advpn-hub"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end   

   3. Configure the hub FortiGate's IPsec tunnel interface IP address:

      config system interface
          edit "advpn-hub1"
              set ip 10.10.10.254 255.255.255.255
              set remote-ip 10.10.10.253 255.255.255.0
          next
      end

   4. Configure the hub FortiGate's RIP:

      config router rip
          set default-information-originate enable
          config network
              edit 1
                  set prefix 10.10.10.0 255.255.255.0
              next
              edit 2
                  set prefix 172.16.101.0 255.255.255.0
              next
          end
          config interface
              edit "advpn-hub"
                  set split-horizon-status disable
              next
          end
      end

3. Configure the spoke FortiGates:

   1.  Configure the spoke FortiGates' WAN, internal interfaces, and static routes:

      1. Configure Spoke1:

         config system interface
             edit "wan1"
                 set alias "primary_WAN"
                 set ip 15.1.1.2 255.255.255.0
             next
             edit "wan2"
                 set alias "secondary_WAN"
                 set ip 12.1.1.2 255.255.255.0
             next
             edit "internal"
                 set ip 10.1.100.1 255.255.255.0
             next
         end 
         config router static
             edit 1
                 set gateway 12.1.1.1
                 set device "wan2"
                 set distance 15        
             next
             edit 2
                 set gateway 15.1.1.1
                 set device "wan1"
             next
         end   

      2. Configure the Spoke2:

         config system interface
             edit "wan1"
                 set alias "primary_WAN"
                 set ip 13.1.1.2 255.255.255.0
             next
             edit "wan2"
                 set alias "secondary_WAN"
                 set ip 17.1.1.2 255.255.255.0
             next
             edit "internal"
                 set ip 192.168.4.1 255.255.255.0
             next
         end 
         config router static
             edit 1
                 set gateway 17.1.1.1
                 set device "wan2"
                 set distance 15        
             next
             edit 2
                 set gateway 13.1.1.1
                 set device "wan1"
             next
         end     

   2. Configure the spoke FortiGates' IPsec phase1-interface and phase2-interface:

      1. Configure Spoke1:

         config vpn ipsec phase1-interface
             edit "spoke1"
                 set interface "wan1"
                 set peertype any
                 set net-device enable
                 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                 set add-route disable
                 set dpd on-idle
                 set auto-discovery-receiver enable
                 set remote-gw 22.1.1.1
                 set psksecret sample 
                 set dpd-retryinterval 5
             next
             edit "spoke1_backup"
                 set interface "wan2"
                 set peertype any
                 set net-device enable
                 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                 set add-route disable
                 set dpd on-idle
                 set auto-discovery-receiver enable
                 set remote-gw 22.1.1.1
                 set monitor "spoke1"
                 set psksecret sample
                 set dpd-retryinterval 5
             next    
         end
         config vpn ipsec phase2-interface
             edit "spoke1"
                 set phase1name "spoke1"
                 set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
                 set auto-negotiate enable
             next
             edit "spoke1_backup"
                 set phase1name "spoke1_backup"
                 set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
                 set auto-negotiate enable
             next  
         end

      2. Configure Spoke2:

         config vpn ipsec phase1-interface
             edit "spoke2"
                 set interface "wan1"
                 set peertype any
                 set net-device enable
                 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                 set add-route disable
                 set dpd on-idle
                 set auto-discovery-receiver enable
                 set remote-gw 22.1.1.1
                 set psksecret sample 
                 set dpd-retryinterval 5
             next
             edit "spoke2_backup"
                 set interface "wan2"
                 set peertype any
                 set net-device enable
                 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                 set add-route disable
                 set dpd on-idle
                 set auto-discovery-receiver enable
                 set remote-gw 22.1.1.1
                 set monitor "spoke2"
                 set psksecret sample
                 set dpd-retryinterval 5
             next    
         end
         config vpn ipsec phase2-interface
             edit "spoke2"
                 set phase1name "spoke2"
                 set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
                 set auto-negotiate enable
             next
             edit "spoke2_backup"
                 set phase1name "spoke2_backup"
                 set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
                 set auto-negotiate enable
             next  
         end

   3. Configure the spoke FortiGates' firewall policies:

      1. Configure Spoke1:

         config firewall policy
             edit 1
                 set name "outbound_advpn"
                 set srcintf "internal"
                 set dstintf "spoke1" "spoke1_backup"
                 set srcaddr "all"
                 set dstaddr "all"
                 set action accept
                 set schedule "always"
                 set service "ALL"
             next
             edit 2
                 set name "inbound_advpn"
                 set srcintf "spoke1" "spoke1_backup"
                 set dstintf "internal"
                 set srcaddr "all"
                 set dstaddr "all"
                 set action accept
                 set schedule "always"
                 set service "ALL"
             next
         end

      2. Configure Spoke2:

         config firewall policy
             edit 1
                 set name "outbound_advpn"
                 set srcintf "internal"
                 set dstintf "spoke2" "spoke2_backup"
                 set srcaddr "all"
                 set dstaddr "all"
                 set action accept
                 set schedule "always"
                 set service "ALL"
             next
             edit 2
                 set name "inbound_advpn"
                 set srcintf "spoke2" "spoke2_backup"
                 set dstintf "internal"
                 set srcaddr "all"
                 set dstaddr "all"
                 set action accept
                 set schedule "always"
                 set service "ALL"
             next
         end

   4. Configure the spoke FortiGates' tunnel interface IP addresses:

      1. Configure Spoke1:

         config system interface
             edit "spoke1"
                 set ip 10.10.10.1 255.255.255.255
                 set remote-ip 10.10.10.254 255.255.255.0
             next
             edit "spoke1_backup"
                 set ip 10.10.10.2 255.255.255.255
                 set remote-ip 10.10.10.254 255.255.255.0
             next    
         end

      2. Configure Spoke2:

         config system interface
             edit "spoke2"
                 set ip 10.10.10.3 255.255.255.255
                 set remote-ip 10.10.10.254 255.255.255.0
             next
             edit "spoke2_backup"
                 set ip 10.10.10.4 255.255.255.255
                 set remote-ip 10.10.10.254 255.255.255.0
             next    
         end

   5. Configure the spoke FortiGates' RIP:

      1. Configure Spoke1:

         config router rip
             config network
                 edit 1
                     set prefix 10.10.10.0 255.255.255.0
                 next
                 edit 2
                     set prefix 10.1.100.0 255.255.255.0
                 next
             end
         end

      2. Configure Spoke2:

         config router rip
             config network
                 edit 1
                     set prefix 10.10.10.0 255.255.255.0
                 next
                 edit 2
                     set prefix 192.168.4.0 255.255.255.0
                 next
             end
         end

4. Run diagnose and get commands on Spoke1:

   1. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

      list all ipsec tunnel in vd 0
      ----
      name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
      bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1
      
      proxyid_num=1 child_num=1 refcnt=17 ilast=2 olast=2 ad=r/2
      stat: rxp=1 txp=87 rxb=200 txb=6208
      dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=1040
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=spoke1 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
        src: 0:0.0.0.0/0.0.0.0:0
        dst: 0:0.0.0.0/0.0.0.0:0
        SA:  ref=7 options=1a227 type=00 soft=0 mtu=1438 expire=1793/0B replaywin=1024
             seqno=57 esn=0 replaywin_lastseq=00000002 itn=0
        life: type=01 bytes=0/0 timeout=2370/2400
        dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14
             ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f
        enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d
             ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267
        dec:pkts/bytes=1/132, enc:pkts/bytes=86/11696
        npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
      ----
      name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0
      bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=0
      
      proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
        src: 0:0.0.0.0/0.0.0.0:0
        dst: 0:0.0.0.0/0.0.0.0:0

   2. Run the get router info rip database command on Spoke1. The system should return the following:

      Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
             C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
      
         Network            Next Hop         Metric From            If     Time
      Rc 10.1.100.0/24                             1.                 internal
      Rc 10.10.10.2/32                               1.                 spoke1
      R  172.16.101.0/24    10.10.10.254             1. 10.10.10.254      spoke1 02:28
      R  192.168.4.0/24      10.10.10.254              1. 10.10.10.254       spoke1 02:44

   3. Run the get router info routing-table rip command on Spoke1. The system should return the following:

      Routing table for VRF=0
      R       172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:08:38
      R       192.168.4.0/24 [120/3] via 10.10.10.254, spoke1, 00:08:38

   4. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

      list all ipsec tunnel in vd 0
      ----
      name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
      bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1
      
      proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=3 ad=r/2
      stat: rxp=1 txp=78 rxb=200 txb=5546
      dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=1039
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
        src: 0:0.0.0.0/0.0.0.0:0
        dst: 0:0.0.0.0/0.0.0.0:0
        SA:  ref=7 options=1a227 type=00 soft=0 mtu=1438 expire=1807/0B replaywin=1024
             seqno=4e esn=0 replaywin_lastseq=00000002 itn=0
        life: type=01 bytes=0/0 timeout=2370/2400
        dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14
             ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f
        enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d
             ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267
        dec:pkts/bytes=1/132, enc:pkts/bytes=77/10456
        npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
      ----
      name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0
      bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=0
      
      proxyid_num=1 child_num=0 refcnt=11 ilast=20 olast=20 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
        src: 0:0.0.0.0/0.0.0.0:0
        dst: 0:0.0.0.0/0.0.0.0:0
      ----
      name=spoke1_0 ver=1 serial=a 15.1.1.2:4500->13.1.1.2:4500
      bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc  accept_traffic=1
      
       parent=spoke1 index=0
      proxyid_num=1 child_num=0 refcnt=20 ilast=2 olast=0 ad=r/2
      stat: rxp=1 txp=7 rxb=112 txb=480
      dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=0
      natt: mode=keepalive draft=32 interval=10 remote_port=4500
      proxyid=spoke1 proto=0 sa=1 ref=8 serial=1 auto-negotiate adr
        src: 0:0.0.0.0/0.0.0.0:0
        dst: 0:0.0.0.0/0.0.0.0:0
        SA:  ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=2358/0B replaywin=1024
             seqno=8 esn=0 replaywin_lastseq=00000002 itn=0
        life: type=01 bytes=0/0 timeout=2367/2400
        dec: spi=c53a8f61 esp=aes key=16 c66aa7ae9657068108ed47c048ff56b6
             ah=sha1 key=20 60661c68e20bbc913c2564ade85e01ea3769e703
        enc: spi=79cb0f30 esp=aes key=16 bf6c898c2e1c64baaa679ed5d79c3b58
             ah=sha1 key=20 146ca78be6c34eedb9cd66cc328216e08682ecb1
        dec:pkts/bytes=1/46, enc:pkts/bytes=7/992
        npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=6 dec_npuid=1 enc_npuid=1

   5. Run the get router info routing-tale rip command. The system should return the following:

      Routing table for VRF=0
      R       172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:09:04
      R       192.168.4.0/24 [120/2] via 10.10.10.3, spoke1_0, 00:00:02