Fortinet Auto Discovery VPN (ADVPN)
---------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------
ADVPN (Auto Discovery VPN)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hub and Spokes Lab
Hub HQ-FW ADVPN
FG1 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "advpn"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal des-md5
set add-route disable
set dpd on-idle
set dhgrp 5
set nattraversal disable
set psksecret ENC B/pEFEWBOx+7kiBULl3LEv5G1bhEkrGdwUKB9Qr5zpdijNqqmVjD5xmemVIVaDtosb6EamH4/pbE9dfXo=
set dpd-retryinterval 60
next
end
FG1 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "advpn"
set phase1name "advpn"
set proposal des-md5
set pfs disable
next
End
FG1 (advpn) # show
config system interface
edit "advpn"
set vdom "root"
set ip 172.16.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.1.254 255.255.255.0
set snmp-index 9
set interface "port1"
next
end
Hub HQ-FW BGP
FG1 (bgp) # show
config router bgp
set as 65000
set router-id 10.0.1.254
set ibgp-multipath enable
config neighbor-group
edit "advpn-peers"
set interface "advpn"
set remote-as 65000
set update-source "advpn"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.16.1.0 255.255.255.0
set neighbor-group "advpn-peers"
next
end
config network
edit 1
set prefix 10.0.1.0 255.255.255.0
next
end
Hub HQ-FW LAN to VPN Policy
FG1 (policy) # show
config firewall policy
edit 1
set name "LAN-to-VPN"
set srcintf "port3"
set dstintf "advpn"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "VPN-to-LAN"
set srcintf "advpn"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set name "VPN-to-VPN"
set srcintf "advpn"
set dstintf "advpn"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
DC FW default route
ADVPN
FGT3 (phase1-interface) # show
FTG2 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "advpn"
set interface "port1"
set ike-version 2
set peertype any
set net-device enable
set exchange-interface-ip enable
set proposal des-md5
set dpd on-idle
set dhgrp 5
set nattraversal disable
set remote-gw 192.168.1.1
set psksecret test123
next
FTG2 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "advpn"
set phase1name "advpn"
set proposal des-md5
set pfs disable
set auto-negotiate enable
next
End
DC-FW Tunnel Interface Configuration
config system interface
edit "advpn"
set vdom "root"
set ip 172.16.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.1.1 255.255.255.0
set snmp-index 9
set interface "port1"
next
DC-FW BGP
FTG2 (bgp) # show
config router bgp
set as 65000
set router-id 10.0.2.254
set ibgp-multipath enable
config neighbor
edit "172.16.1.1"
set interface "advpn"
set remote-as 65000
set update-source "advpn"
next
end
config network
edit 1
set prefix 10.0.2.0 255.255.255.0
next
end
DC firewall policy
FTG2 (policy) # show
config firewall policy
edit 1
set name "LAN-to-VPN"
set srcintf "port3"
set dstintf "advpn"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "VPN-to-LAN"
set srcintf "advpn"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Branch-FW default Route
DC-FW VPN
FGT3 (advpn) # show
config vpn ipsec phase1-interface
edit "advpn"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal des-md5
set add-route disable
set dpd on-idle
set dhgrp 5
set nattraversal disable
set psksecret test123
set dpd-retryinterval 60
next
end
FGT3 (advpn) # show
config vpn ipsec phase2-interface
edit "advpn"
set phase1name "advpn"
set proposal des-md5
set pfs disable
next
end
FGT3 (advpn) # show
config system interface
edit "advpn"
set vdom "root"
set ip 172.16.1.3 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.1.1 255.255.255.0
set snmp-index 9
set interface "port2"
next
end
DC-FW BGP
FGT3 (bgp) # show
config router bgp
set as 65000
set router-id 10.0.3.254
set ibgp-multipath enable
config neighbor
edit "172.16.1.1"
set interface "advpn"
set remote-as 65000
set update-source "advpn"
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
DC-FW firewall Policy
FGT3 (policy) # show
config firewall policy
edit 2
set name "LAN-to-VPN"
set srcintf "port1"
set dstintf "advpn"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set name "VPN-to-LAN"
set srcintf "advpn"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Test:
Two dialup VPN connections
Two BGP neighbours in Established state
DC PC trace
VPCS> trace 10.0.3.1
trace to 10.0.3.1, 8 hops max, press Ctrl+C to stop
1 10.0.2.254 0.341 ms 0.178 ms 0.170 ms
2 172.16.1.1 1.664 ms 2.089 ms 1.582 ms <-------HQ FW
3 172.16.1.3 4.058 ms 2.169 ms 3.000 ms <-------Branch FW
4 *10.0.3.1 2.711 ms (ICMP type:3, code:3, Destination port unreachable)
Branch PC trace
VPCS> trace 10.0.2.1
trace to 10.0.2.1, 8 hops max, press Ctrl+C to stop
1 10.0.3.254 0.364 ms 0.240 ms 0.235 ms
2 172.16.1.1 4.378 ms 3.449 ms 3.498 ms <-------HQ FW
3 172.16.1.2 2.549 ms 2.859 ms 2.880 ms <-------DC FW
4 *10.0.2.1 5.542 ms (ICMP type:3, code:3, Destination port unreachable)
FG1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=advpn ver=2 serial=1 192.168.1.1:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on1
bound_if=3 lgwy=static/1 tun=tunnel/255 mode=dialup/2 encap=none/512 options[0200]=frag-rfc accept_traffic0
proxyid_num=0 child_num=2 refcnt=4 ilast=17135 olast=17135 ad=/0
stat: rxp=417 txp=405 rxb=49800 txb=26584
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
------------------------------------------------------
name=advpn_0 ver=2 serial=3 192.168.1.1:0->192.168.3.1:0 tun_id=172.16.1.2 tun_id6=::10.0.0.3 dst_mtu=1500 1
bound_if=3 lgwy=static/1 tun=tunnel/255 mode=dial_inst/3 encap=none/8832 options[2280]=rgwy-chg frag-rfc r0
parent=advpn index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=2 olast=2 ad=/0
stat: rxp=294 txp=284 rxb=34928 txb=18350
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=advpn proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=20002 type=00 soft=0 mtu=1446 expire=36561/0B replaywin=2048
seqno=11d esn=0 replaywin_lastseq=00000127 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=d900c1a0 esp=des key=8 a8e3bca4f05205fa
ah=md5 key=16 2fec7a76216583ba8efe0dcf6f6fcc75
enc: spi=61de4a0e esp=des key=8 b410337e3ebbb39b
ah=md5 key=16 9050cb8bf58b18045bccd344e6685e46
dec:pkts/bytes=294/18933, enc:pkts/bytes=284/33784
------------------------------------------------------
name=advpn_1 ver=2 serial=6 192.168.1.1:0->192.168.5.1:0 tun_id=172.16.1.3 tun_id6=::10.0.0.6 dst_mtu=1500 1
bound_if=3 lgwy=static/1 tun=tunnel/255 mode=dial_inst/3 encap=none/8832 options[2280]=rgwy-chg frag-rfc r0
parent=advpn index=1
proxyid_num=1 child_num=0 refcnt=6 ilast=5 olast=5 ad=/0
stat: rxp=89 txp=88 rxb=10880 txb=6135
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=11
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=advpn proto=0 sa=1 ref=3 serial=2
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=20002 type=00 soft=0 mtu=1446 expire=41487/0B replaywin=2048
seqno=59 esn=0 replaywin_lastseq=0000005a itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=d900c1a6 esp=des key=8 7aaf3b9d10608ed6
ah=md5 key=16 8faeab206b9319da8471b0e3ba475ba3
enc: spi=d1325267 esp=des key=8 930c261d522cf4aa
ah=md5 key=16 846a2a502778ab87c77825405f4c37ac
dec:pkts/bytes=89/6060, enc:pkts/bytes=88/10912
FG1 # get router info routing-table bgp
Routing table for VRF=0
B 10.0.2.0/24 [200/0] via 172.16.1.2 (recursive is directly connected, advpn), 01:50:29
B 10.0.3.0/24 [200/0] via 172.16.1.3 (recursive is directly connected, advpn), 00:28:38
FG1 # diagnose ip address list | grep advpn
IP=172.16.1.1->172.16.1.254/255.255.255.0 index=15 devname=advpn
FG1 # get router info bgp network
VRF 0 BGP table version is 5, local router ID is 10.0.1.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.0.1.0/24 0.0.0.0 100 32768 0 i <-/1>
*>i10.0.2.0/24 172.16.1.2 0 100 0 0 i <-/1>
*>i10.0.3.0/24 172.16.1.3 0 100 0 0 i <-/1>
Total number of prefixes 3
FG1 # get router info bgp summary
VRF 0 BGP router identifier 10.0.1.254, local AS number 65000
BGP table version is 5
1 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 1 seconds
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.1.2 4 65000 146 146 4 0 0 01:51:39 1
172.16.1.3 4 65000 36 37 3 0 0 00:29:48 1
Total number of neighbors 2
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Auto Discovery Lab
Spoke to spoke short cut
HQ FW
FG1 (advpn) # show
config vpn ipsec phase1-interface
edit "advpn"
set exchange-interface-ip disable
set auto-discovery-sender enable
next
DC and Branch FW:
config vpn ipsec phase1-interface
edit "advpn"
set exchange-interface-ip disable
set auto-discovery-receiver enable
Test
DC PC trace:
VPCS> trace 10.0.3.1
trace to 10.0.3.1, 8 hops max, press Ctrl+C to stop
1 10.0.2.254 0.386 ms 0.320 ms 0.189 ms
2 172.16.1.3 2.008 ms 1.637 ms 2.473 ms <------- Branch FW
3 *10.0.3.1 1.687 ms (ICMP type:3, code:3, Destination port unreachable)
FTG2 # get router info routing-table bgp
Routing table for VRF=0
B 10.0.1.0/24 [200/0] via 172.16.1.1 (recursive via advpn tunnel 192.168.1.1), 00:0
B 10.0.3.0/24 [200/0] via 172.16.1.3 (recursive is directly connected, advpn_0), 04
FGT3 # get router info routing-table bgp
Routing table for VRF=0
B 10.0.1.0/24 [200/0] via 172.16.1.1 (recursive via advpn tunnel 192.168.3
B 10.0.2.0/24 [200/0] via 172.16.1.2 (recursive is directly connected, ad9
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ADVPN & SD-WAN Lab
HQ FW VPN
FG1 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "advpn1"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal des-md5
set add-route disable
set dpd on-idle
set dhgrp 5
set auto-discovery-sender enable
set nattraversal disable
set psksecret test123
set dpd-retryinterval 60
next
edit "advpn2"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal des-md5
set add-route disable
set dpd on-idle
set dhgrp 5
set auto-discovery-sender enable
set nattraversal disable
set psksecret test123
set dpd-retryinterval 60
next
end
FG1 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "advpn1"
set phase1name "advpn1"
set proposal des-md5
set pfs disable
next
edit "advpn2"
set phase1name "advpn2"
set proposal des-md5
set pfs disable
next
end
HQ FW Tunnel Interface
FG1 (interface) # show
config system interface
edit "advpn1"
set vdom "root"
set ip 172.16.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.1.254 255.255.255.0
set snmp-index 9
set interface "port1"
next
edit "advpn2"
set vdom "root"
set ip 172.16.2.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.2.254 255.255.255.0
set snmp-index 10
set interface "port2"
next
HQ FW BGP
FG1 (bgp) # show
config router bgp
set as 65000
set router-id 10.0.1.254
set ibgp-multipath enable
config neighbor-group
edit "advpn1-peers"
set interface "advpn1"
set remote-as 65000
set update-source "advpn1"
set route-reflector-client enable
next
edit "advpn2-peeers"
set interface "advpn2"
set remote-as 65000
set update-source "advpn2"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.16.1.0 255.255.255.0
set neighbor-group "advpn1-peers"
next
edit 2
set prefix 172.16.2.0 255.255.255.0
set neighbor-group "advpn2-peeers"
next
end
config network
edit 1
set prefix 10.0.1.0 255.255.255.0
next
end
DC VPN Interface
FTG2 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "advpn1"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal des-md5
set add-route disable
set dpd on-idle
set dhgrp 5
set auto-discovery-receiver enable
set nattraversal disable
set remote-gw 192.168.1.1
set psksecret test123
set dpd-retryinterval 60
next
edit "advpn2"
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal des-md5
set add-route disable
set dpd on-idle
set dhgrp 5
set auto-discovery-receiver enable
set nattraversal disable
set remote-gw 192.168.2.1
set psksecret test123
set dpd-retryinterval 60
next
end
FTG2 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "advpn1"
set phase1name "advpn1"
set proposal des-md5
set pfs disable
next
edit "advpn2"
set phase1name "advpn2"
set proposal des-md5
set pfs disable
next
end
DC Tunnel Interface
FTG2 (interface) # show
config system interface
edit "advpn1"
set vdom "root"
set ip 172.16.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.1.1 255.255.255.0
set snmp-index 9
set interface "port1"
next
edit "advpn2"
set vdom "root"
set ip 172.16.2.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.2.1 255.255.255.0
set snmp-index 10
set interface "port2"
next
DC BGP
FTG2 (bgp) # show
config router bgp
set as 65000
set router-id 10.0.2.254
set ibgp-multipath enable
config neighbor-group
edit "172.16.1.1"
set interface "advpn1"
set remote-as 65000
set update-source "advpn1"
next
edit "172.16.2.1"
set interface "advpn2"
set remote-as 65000
set update-source "advpn2"
next
end
config network
edit 1
set prefix 10.0.2.0 255.255.255.0
next
end
Branch VPN Interface
config vpn ipsec phase1-interface
edit "advpn1"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal des-md5
set dpd on-idle
set dhgrp 5
set auto-discovery-receiver enable
set nattraversal disable
set remote-gw 192.168.1.1
set psksecret test123
next
edit "advpn2"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal des-md5
set dpd on-idle
set dhgrp 5
set auto-discovery-receiver enable
set nattraversal disable
set remote-gw 192.168.2.1
set psksecret test123
next
End
FGT3 (phase2-interface) # show
config vpn ipsec phase2-interface
edit "advpn1"
set phase1name "advpn1"
set proposal des-md5
set pfs disable
set auto-negotiate enable
next
edit "advpn2"
set phase1name "advpn2"
set proposal des-md5
set pfs disable
set auto-negotiate enable
next
Branch Tunnel Interface
config system interface
edit "advpn1"
set vdom "root"
set ip 172.16.1.3 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.1.1 255.255.255.0
set snmp-index 9
set interface "port2"
next
edit "advpn2"
set vdom "root"
set ip 172.16.2.3 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.2.1 255.255.255.0
set snmp-index 10
set interface "port2"
next
Branch BGP
config router bgp
set as 65000
set router-id 10.0.3.254
set ibgp-multipath enable
config neighbor
edit "172.16.1.1"
set interface "advpn1"
set remote-as 65000
set update-source "advpn1"
next
edit "172.16.2.1"
set interface "advpn2"
set remote-as 65000
set update-source "advpn2"
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
HQ SD-WAN
HQ firewall policy
HQ Create Loopback interface
HQ-FW Advertised loopback interface IP
FG1 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "advpn1"
set exchange-ip-addr4 10.10.10.10
next
edit "advpn2"
set exchange-ip-addr4 10.10.10.10
HQ-FW firewall policy ADVPN to Loopback
HQ-FW SD-WAN performance SLA
HQ-FW SD-WAN RULE
DF-FW SD-WAN
DF-FW Static route
FTG2 (static) # show
config router static
edit 1
set distance 1
set sdwan-zone "Internet"
next
end
DF-FW Firewall Policy
DC-FW Performance SLA
DC-FW SLA Rule
Branch-FW SD-WAN Zone/Members
Branch-FW Static route
Branch-FW Firewall Policies
Branch-FW SD-WAN Performance SLA
Branch-FW SD-WAN Rule
Test
HQ-FW 4 dialup VPN connections up
HQ-PC
VPCS> ping 10.0.3.1
84 bytes from 10.0.3.1 icmp_seq=1 ttl=62 time=3.690 ms
84 bytes from 10.0.3.1 icmp_seq=2 ttl=62 time=1.711 ms
VPCS> ping 10.0.2.1
84 bytes from 10.0.2.1 icmp_seq=1 ttl=62 time=3.096 ms
84 bytes from 10.0.2.1 icmp_seq=2 ttl=62 time=1.734 ms
DC-PC
VPCS> trace 10.0.1.1
trace to 10.0.1.1, 8 hops max, press Ctrl+C to stop
1 10.0.2.254 0.302 ms 0.287 ms 0.157 ms
2 172.16.2.1 1.133 ms 1.920 ms 0.772 ms
3 *10.0.1.1 1.467 ms (ICMP type:3, code:3, Destination port unreachable)
VPCS> trace 10.0.3.1
trace to 10.0.3.1, 8 hops max, press Ctrl+C to stop
1 10.0.2.254 0.201 ms 0.200 ms 0.168 ms
2 172.16.1.3 1.542 ms 0.934 ms 0.626 ms
3 *10.0.3.1 2.284 ms (ICMP type:3, code:3, Destination port unreachable)
No comments:
Post a Comment