ADVPN with OSPF as the routing protocol
This is a sample configuration of ADVPN with OSPF as the routing protocol. The following options must be enabled for this configuration:
-
On the hub FortiGate, IPsec phase1-interface
net-device enable
must be run. -
OSPF must be used between the hub and spoke FortiGates.
To configure ADVPN with OSPF as the routing protocol using the CLI:
-
Configure hub FortiGate's WAN, internal interface, and static route:
config system interface edit "port9" set alias "WAN" set ip 22.1.1.1 255.255.255.0 next edit "port10" set alias "Internal" set ip 172.16.101.1 255.255.255.0 next end config router static edit 1 set gateway 22.1.1.2 set device "port9" next end
-
Configure the hub FortiGate:
-
Configure the hub FortiGate IPsec phase1-interface and phase2-interface:
config vpn ipsec phase1-interface edit "advpn-hub" set type dynamic set interface "port9" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable set psksecret sample set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "advpn-hub" set phase1name "advpn-hub" set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 next end
When
net-device
is disabled, a tunnel ID is generated for each dynamic tunnel. This ID, in the form of an IP address, is used as the gateway in the route entry to that tunnel. Thetunnel-search
option is removed in FortiOS 7.0.0 and later. -
Configure the hub FortiGate firewall policy:
config firewall policy edit 1 set name "spoke2hub" set srcintf "advpn-hub" set dstintf "port10" set srcaddr "all" set dstaddr "172.16.101.0" set action accept set schedule "always" set service "ALL" next edit 2 set name "spoke2spoke" set srcintf "advpn-hub" set dstintf "advpn-hub" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
-
Configure the hub FortiGate's IPsec tunnel interface IP address:
config system interface edit "advpn-hub1" set ip 10.10.10.254 255.255.255.255 set remote-ip 10.10.10.253 255.255.255.0 next end
-
Configure the hub FortiGate's OSPF:
config router ospf set router-id 1.1.1.1 config area edit 0.0.0.0 next end config network edit 1 set prefix 10.10.10.0 255.255.255.0 next edit 2 set prefix 172.16.101.0 255.255.255.0 next end end
-
-
Configure the spoke FortiGates:
-
Configure the spoke FortiGates' WAN, internal interfaces, and static routes:
-
Configure Spoke1:
config system interface edit "wan1" set alias "primary_WAN" set ip 15.1.1.2 255.255.255.0 next edit "wan2" set alias "secondary_WAN" set ip 12.1.1.2 255.255.255.0 next edit "internal" set ip 10.1.100.1 255.255.255.0 next end config router static edit 1 set gateway 12.1.1.1 set device "wan2" set distance 15 next edit 2 set gateway 15.1.1.1 set device "wan1" next end
-
Configure the Spoke2:
config system interface edit "wan1" set alias "primary_WAN" set ip 13.1.1.2 255.255.255.0 next edit "wan2" set alias "secondary_WAN" set ip 17.1.1.2 255.255.255.0 next edit "internal" set ip 192.168.4.1 255.255.255.0 next end config router static edit 1 set gateway 17.1.1.1 set device "wan2" set distance 15 next edit 2 set gateway 13.1.1.1 set device "wan1" next end
-
-
Configure the spoke FortiGates' IPsec phase1-interface and phase2-interface:
-
Configure Spoke1:
config vpn ipsec phase1-interface edit "spoke1" set interface "wan1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5 next edit "spoke1_backup" set interface "wan2" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor "spoke1" set psksecret sample set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "spoke1" set phase1name "spoke1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable next edit "spoke1_backup" set phase1name "spoke1_backup" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable next end
-
Configure Spoke2:
config vpn ipsec phase1-interface edit "spoke2" set interface "wan1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5 next edit "spoke2_backup" set interface "wan2" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor "spoke2" set psksecret sample set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "spoke2" set phase1name "spoke2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable next edit "spoke2_backup" set phase1name "spoke2_backup" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable next end
-
-
Configure the spoke FortiGates' firewall policies:
-
Configure Spoke1:
config firewall policy edit 1 set name "outbound_advpn" set srcintf "internal" set dstintf "spoke1" "spoke1_backup" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "inbound_advpn" set srcintf "spoke1" "spoke1_backup" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
-
Configure Spoke2:
config firewall policy edit 1 set name "outbound_advpn" set srcintf "internal" set dstintf "spoke2" "spoke2_backup" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "inbound_advpn" set srcintf "spoke2" "spoke2_backup" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
-
-
Configure the spoke FortiGates' tunnel interface IP addresses:
-
Configure Spoke1:
config system interface edit "spoke1" set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0 next edit "spoke1_backup" set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0 next end
-
Configure Spoke2:
config system interface edit "spoke2" set ip 10.10.10.3 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0 next edit "spoke2_backup" set ip 10.10.10.4 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0 next end
-
-
Configure the spoke FortiGates' OSPF:
-
Configure Spoke1:
config router ospf set router-id 7.7.7.7 config area edit 0.0.0.0 next end config network edit 1 set prefix 10.10.10.0 255.255.255.0 next edit 2 set prefix 10.1.100.0 255.255.255.0 next end end
-
Configure Spoke2:
config router ospf set router-id 8.8.8.8 config area edit 0.0.0.0 next end config network edit 1 set prefix 10.10.10.0 255.255.255.0 next edit 2 set prefix 192.168.4.0 255.255.255.0 next end end
-
-
-
Run
diagnose
andget
commands on Spoke1 to check VPN and OSPF states:-
Run the
diagnose vpn tunnel list
command on Spoke1. The system should return the following:list all ipsec tunnel in vd 0 ---- name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0 bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=1 refcnt=19 ilast=5 olast=2 ad=r/2 stat: rxp=1 txp=263 rxb=16452 txb=32854 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2283 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=1057/0B replaywin=1024 seqno=108 esn=0 replaywin_lastseq=00000003 itn=0 life: type=01 bytes=0/0 timeout=2371/2400 dec: spi=c53a8f78 esp=aes key=16 7cc50c5c9df1751f6497a4ad764c5e9a ah=sha1 key=20 269292ddbf7309a6fc05871e63ed8a5297b5c9a1 enc: spi=6e363612 esp=aes key=16 42bd49bced1e85cf74a24d97f10eb601 ah=sha1 key=20 13964f166aad48790c2e551d6df165d7489f524b dec:pkts/bytes=1/16394, enc:pkts/bytes=263/50096 npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1 ---- name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0 bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0 proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
-
Run the
get router info ospf neighbor
command on Spoke1. The system should return the following:OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 8.8.8.8 1. Full/ - 00:00:35 10.10.10.254 spoke1 1.1.1.1 1. Full/ - 00:00:35 10.10.10.254 spoke1
-
Run the
get router info routing-table ospf
command on Spoke1. The system should return the following:Routing table for VRF=0 O 172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:23:23 O 192.168.4.0/24 [110/110] via 10.10.10.254, spoke1, 00:22:35
-
Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the
diagnose vpn tunnel list
command on Spoke1. The system should return the following:list all ipsec tunnel in vd 0 ---- ---- name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0 bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=1 refcnt=19 ilast=2 olast=2 ad=r/2 stat: rxp=1 txp=313 rxb=16452 txb=35912 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2303 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=3 serial=1 auto-negotiate adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=782/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000003 itn=0 life: type=01 bytes=0/0 timeout=2371/2400 dec: spi=c53a8f78 esp=aes key=16 7cc50c5c9df1751f6497a4ad764c5e9a ah=sha1 key=20 269292ddbf7309a6fc05871e63ed8a5297b5c9a1 enc: spi=6e363612 esp=aes key=16 42bd49bced1e85cf74a24d97f10eb601 ah=sha1 key=20 13964f166aad48790c2e551d6df165d7489f524b dec:pkts/bytes=1/16394, enc:pkts/bytes=313/56432 npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1 ---- name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0 bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0 proxyid_num=1 child_num=0 refcnt=11 ilast=13 olast=13 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ---- name=spoke1_0 ver=1 serial=e 15.1.1.2:4500->13.1.1.2:4500 bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1 parent=spoke1 index=0 proxyid_num=1 child_num=0 refcnt=19 ilast=4 olast=2 ad=r/2 stat: rxp=641 txp=1254 rxb=278648 txb=161536 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=184 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=spoke1_backup proto=0 sa=1 ref=10 serial=1 auto-negotiate adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=922/0B replaywin=1024 seqno=452 esn=0 replaywin_lastseq=00000280 itn=0 life: type=01 bytes=0/0 timeout=2370/2400 dec: spi=c53a8f79 esp=aes key=16 324f8cf840ba6722cc7abbba46b34e0e ah=sha1 key=20 a40e9aac596b95c4cd83a7f6372916a5ef5aa505 enc: spi=ef3327b5 esp=aes key=16 5909d6066b303de4520d2b5ae2db1b61 ah=sha1 key=20 1a42f5625b5a335d8d5282fe83b5d6c6ff26b2a4 dec:pkts/bytes=641/278568, enc:pkts/bytes=1254/178586 npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=a dec_npuid=1 enc_npuid=1
-
Run the
get router info routing-tale ospf
command. The system should return the following:Routing table for VRF=0 O 172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:27:14 O 192.168.4.0/24 [110/110] via 10.10.10.3, spoke1_0, 00:26:26
-