Fortinet black logo

Examples

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0

Enabling ADVPN and adding overlay IDs

Enabling ADVPN and adding overlay IDs

After creating VPN communities and gateways, you must also:

  • Enable ADVPN
  • Configure tunnel interface IP addresses

You must enable ADVPN on both hubs and on both spokes.

However you can configure tunnel IP addresses on only the hub devices. Because IKE Config Mode is enabled, the hub devices automatically assign tunnel IP addresses to spokes.

Each hub requires a network overlay ID.

You must use the CLI to enable ADVPN. You cannot enable ADVPN by using the GUI.

Note

It is not possible to establish two IPSEC tunnels between the same two FGT IPs, unless the Network Overlay ID differs between these two tunnels. In our case, this can happen if DC1 Hub triggers a shortcut between two Spokes and then there is a failover to DC2 Hub which also triggers a shortcut between the same two Spokes. This second shortcut will fail to establish, as long as the first one is still there. To avoid this problem, we must ensure that the IPSEC tunnels towards each Hub have different Network Overlay IDs.

You must use the CLI to enable ADVPN and configure tunnel interface IP addresses. In this example, we use CLI script templates to enable these settings.

To create a CLI script template for hubs:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Click Create New > CLI Template.
  3. In the Template Name box, type Hub-Overlay.
  4. In the script details box, copy and paste the following commands, and click OK to create the CLI script.

# Configure tunnel interface IPs

config system interface

edit "OL_INET_0"

set ip 10.200.1$(dc-id).10 255.255.255.255

set remote-ip 10.200.1$(dc-id).254 255.255.255.0

set allowaccess ping

next

edit "OL_MPLS_0"

set ip 10.200.2$(dc-id).10 255.255.255.255

set remote-ip 10.200.2$(dc-id).254 255.255.255.0

set allowaccess ping

next

end

# Enable ADVPN

config vpn ipsec phase1-interface

edit "OL_INET_0"

set auto-discovery-sender enable

set network-overlay enable

set network-id 1$(dc-id)

next

edit "OL_MPLS_0"

set auto-discovery-sender enable

set network-overlay enable

set network-id 2$(dc-id)

next

end

To create a CLI script template for spokes:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Click Create New > CLI Template.
  3. In the Template Name box, type Spoke-Overlay.
  4. In the script details box, copy and paste the following commands, and click OK to create the CLI script.

# Enable ADVPN

config vpn ipsec phase1-interface

edit "OL_INET_11"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 11

next

edit "OL_INET_12"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 12

next

edit "OL_MPLS_21"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 21

next

edit "OL_MPLS_22"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 22

next

end

# Allow shortcut monitoring (ping)

config system interface

edit "OL_INET_11"

set allowaccess ping

next

edit "OL_INET_12"

set allowaccess ping

next

edit "OL_MPLS_21"

set allowaccess ping

next

edit "OL_MPLS_22"

set allowaccess ping

next

end

To create CLI template groups:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Click Create New > CLI Template Group.
  3. In the Template Group Name box, type Hub-Template.
  4. Beside Members, click Add (+), select Hub-Overlay, and click OK.
  5. Click OK to create the CLI Template Group named Hub-Template.
  6. Repeat this procedure to create a CLI Template Group named Spoke-Template and select the script named Spoke-Overlay.

The following example shows the CLI scripts and CLI template groups.

To assign CLI template groups to devices:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Select the template group, and click Assign to Device. The Assign to Device dialog box is displayed.
  3. In the Available Entries list, select one or more devices, and click the right arrow (>) to move the devices to the Selected Entries list.
  4. Click OK. The template group is assigned to the devices in the Selected Entries list.

To install the CLI templates to assigned devices:
  1. Go to Device Manager > Device & Groups.
  2. In the tree menu, select the group. The devices in the group are displayed in the content pane.
  3. Select the devices, and from the Install menu, select Quick Install (Device DB). A confirmation dialog box is displayed.
  4. Click OK to install the CLI templates.
  5. Repeat this procedure for the other device group.

Previous
Next

Enabling ADVPN and adding overlay IDs

After creating VPN communities and gateways, you must also:

  • Enable ADVPN
  • Configure tunnel interface IP addresses

You must enable ADVPN on both hubs and on both spokes.

However you can configure tunnel IP addresses on only the hub devices. Because IKE Config Mode is enabled, the hub devices automatically assign tunnel IP addresses to spokes.

Each hub requires a network overlay ID.

You must use the CLI to enable ADVPN. You cannot enable ADVPN by using the GUI.

Note

It is not possible to establish two IPSEC tunnels between the same two FGT IPs, unless the Network Overlay ID differs between these two tunnels. In our case, this can happen if DC1 Hub triggers a shortcut between two Spokes and then there is a failover to DC2 Hub which also triggers a shortcut between the same two Spokes. This second shortcut will fail to establish, as long as the first one is still there. To avoid this problem, we must ensure that the IPSEC tunnels towards each Hub have different Network Overlay IDs.

You must use the CLI to enable ADVPN and configure tunnel interface IP addresses. In this example, we use CLI script templates to enable these settings.

To create a CLI script template for hubs:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Click Create New > CLI Template.
  3. In the Template Name box, type Hub-Overlay.
  4. In the script details box, copy and paste the following commands, and click OK to create the CLI script.

# Configure tunnel interface IPs

config system interface

edit "OL_INET_0"

set ip 10.200.1$(dc-id).10 255.255.255.255

set remote-ip 10.200.1$(dc-id).254 255.255.255.0

set allowaccess ping

next

edit "OL_MPLS_0"

set ip 10.200.2$(dc-id).10 255.255.255.255

set remote-ip 10.200.2$(dc-id).254 255.255.255.0

set allowaccess ping

next

end

# Enable ADVPN

config vpn ipsec phase1-interface

edit "OL_INET_0"

set auto-discovery-sender enable

set network-overlay enable

set network-id 1$(dc-id)

next

edit "OL_MPLS_0"

set auto-discovery-sender enable

set network-overlay enable

set network-id 2$(dc-id)

next

end

To create a CLI script template for spokes:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Click Create New > CLI Template.
  3. In the Template Name box, type Spoke-Overlay.
  4. In the script details box, copy and paste the following commands, and click OK to create the CLI script.

# Enable ADVPN

config vpn ipsec phase1-interface

edit "OL_INET_11"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 11

next

edit "OL_INET_12"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 12

next

edit "OL_MPLS_21"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 21

next

edit "OL_MPLS_22"

set auto-discovery-receiver enable

set idle-timeout enable

set idle-timeoutinterval 5

set network-overlay enable

set network-id 22

next

end

# Allow shortcut monitoring (ping)

config system interface

edit "OL_INET_11"

set allowaccess ping

next

edit "OL_INET_12"

set allowaccess ping

next

edit "OL_MPLS_21"

set allowaccess ping

next

edit "OL_MPLS_22"

set allowaccess ping

next

end

To create CLI template groups:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Click Create New > CLI Template Group.
  3. In the Template Group Name box, type Hub-Template.
  4. Beside Members, click Add (+), select Hub-Overlay, and click OK.
  5. Click OK to create the CLI Template Group named Hub-Template.
  6. Repeat this procedure to create a CLI Template Group named Spoke-Template and select the script named Spoke-Overlay.

The following example shows the CLI scripts and CLI template groups.

To assign CLI template groups to devices:
  1. Go to Device Manager > Provisioning Templates > CLI Template.
  2. Select the template group, and click Assign to Device. The Assign to Device dialog box is displayed.
  3. In the Available Entries list, select one or more devices, and click the right arrow (>) to move the devices to the Selected Entries list.
  4. Click OK. The template group is assigned to the devices in the Selected Entries list.

To install the CLI templates to assigned devices:
  1. Go to Device Manager > Device & Groups.
  2. In the tree menu, select the group. The devices in the group are displayed in the content pane.
  3. Select the devices, and from the Install menu, select Quick Install (Device DB). A confirmation dialog box is displayed.
  4. Click OK to install the CLI templates.
  5. Repeat this procedure for the other device group.

Previous
Next