Fortigate SD-WAN ADVPN Lab Part 2

In the previous post, I’ve built a basic network setup on a fortigate fortinet firewall. Dropping the WAN links into the SD-WAN virtual interface. Set up the firewall policy to allow the internal network to reach the public internet using the SD-WAN interface as the outbound interface. Test and verify reachability to the internet is achieved.

In this blog, I will build the next phase which is to form vpn tunnels between the hub and spokes sites using the ADVPN. Auto-discovery VPN (ADVPN) reminds me of Cisco’s DMVPN except that ADVPN is a combo of Ike+IPSec while DMVPN is mGRE+IPSec but the behaviour is the same. Your enjoy the simplicity of setting up a hub and spoke topology, with the efficiency of a full mesh without its overhead. The tunnel between the hub and spoke is called a Parent tunnel which is the initial build. It uses BGP on the backend to learn routes. If traffic is destined for spoke to spoke, it initially goes through the Hub but once traffic is establish a shortcut tunnel is created between the spokes. By default they are not torn down even a spoke loses the tunnel with the hub but can be set manually with an idle time to remove the shortcut tunne if no traffic passes after a given time.

Please note that some screenshots are just samples and values may not match to the topology I’m building.

Hub Site

Firstly, we’ll build the VPN on the hub site. Go to VPN > IPsec Wizard > give it a name > choose Hub-and-Spoke > choose Hub as role > click Next.

Next page, choose WAN port1 under Incoming Interface > enter a Pre-shared key > Click Next

Next page, enter the Tunnel IP. As the Hub site, I’ve allocated 10.10.10.0/24 network as the overlay ADVPN WAn network and assigned 10.10.10.1 to the Tunnel IP and 10.10.10.2/24 to the Remote IP/network section. Click Next.

The Policy and Routing section, leave the Local AS value as is. Choose your LAN interface as the local interface and it will automagically have the LAN subnet underneath the Local subnets. Spoke #1 tunnel IP leave it same as the Remote IP as per the previous page. Click Next.

The Review Settings page basically just asks you to review your configuration prior to clicking Create.

Once the Hub ADVPN is setup, you can leverage the Spoke Easy Configuration by copying the string under the Spoke# section and applying it to the spoke to preconfigure the tunnel.

Spoke sites

Perform the same steps at the spoke site using the IPsec Wizard, choosing Spoke as the Role.

Paste the easy configuration key in the text box and click Apply. This will pre-populate most of the needed configuration to complete the parent tunnel. Choose the WAN interface, and entered the pre-shared key.

Leave the Tunnel IP and Remote IP/network, pre-populated by the easy spoke configuration key.

Leave the Local AS, choose the LAN interface and add to the Local interface section which should pre-populate the Local subnets. Leave the Hub tunnel IP as pre-populated.

Once you get to the summary page, review the Object Summary section and click Create. Everything should get a green check or else you would need to check the section where there’s a conflict.

Verify the vpn is up via the GUI by going to: VPN > IPSec Tunnels

If you double click on the tunnel, it leads you to another page where you can see Incoming and Outgoing data.

Executing a ping from the spoke to reach a device on the LAN side of the Hub to verify reachability.

If you manage to add another spoke site, run an icmp test between the spokes.

Run traceroute to verify the shortcut tunnel has been created and no extra hop is added for site to site communication.

To verify the BGP routing table you can run the following command:

As part of troubleshooting, if your tunnel is up but your ICMP test is not working, check if you have going hits on the firewall policy for the ADVPN tunnel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s