Fortinet Auto Discovery VPN (ADVPN)

Stéphane HAMELIN – Support Engineering Team

© Copyright Fortinet Inc. All rights reserved.

 Latest version of this document is available at:
Change Log https://kb.fortinet.com/kb/documentLink.do?externalID=FD39360
Date Author
2020-09-30 S. Hamelin As of 6.4.3, shortcut tunnels can be automatically brought down when their parent tunnel goes down [link]
As of 6.4, shortcuts can be negotiated between two NATed spokes so long as their NAT devices perform EIM NAT [link]
2019-09-16 S. Hamelin Rework of the document
Tunnel overlay IPs can be provisioned with IKE mode-config as of FortiOS 6.2.2 [link]
‘net-device’ setting available as of FortiOS 6.2.1 for Spokes’ shortcuts (static phase1) [link] OSPF
is supported as of FortiOS 6.2.0 [link]
Additional information added for the Hub-to-Hub tunnel [link]

2018-11-22 S. Hamelin Added the configuration snippets for France02 spoke + correction of some config snippets

2018-06-28 S. Hamelin Added slide and reference for the “net-device” KB article
Grey background color used for slides referring to the historical dialup behavior (equivalent to “net-device enable”)
2018-05-17 S. Hamelin IKEv1 aggressive-mode is supported as of FortiOS 6.0.1
As of 5.6.3 and 6.0: new “net-device” setting for dialup phase1 (Hub)
2018-03-16 S. Hamelin PIM/Multicast is supported as of FortiOS 5.6.1
IKE debug filter supports multiple IP addresses as of FortiOS 6.0
Added the configuration snippets for Paris and Madrid Hubs
2017-09-14 S. Hamelin IKEv2 is supported as of FortiOS 5.6.1
ADVPN Hubs can be DNATed as of FortiOS 5.6.1
Added KB reference for this document
Added KB reference for scenario mixing ADVPN & non-ADVPN Spokes

2017-02-01 S. Hamelin Added a setting in ADVPN Spoke configuration

2016-07-01 S. Hamelin Initial version for Fortinet Xperts Academy event

2
IPsec VPN Topology
How to organize the collection of point-to-point IPsec virtual links
between all sites ?
Hub and Spoke
Hub nodes concentrate Spoke nodes in a Star topology
Spoke
site

Spoke
site

Hub
Site
Internet

Spoke
site
The simplest topology

Spoke
Spoke to Spoke traffic: site
- must go through the Hub (delay, latency)
- needlessly consume resources on Hub site (CPU, memory, Internet link)

4
Partial Mesh
Typically a Hub-and-Spoke topology with additional direct tunnels between some Spokes
Spoke
site

Spoke
site

Hub
Site
Internet

Spoke
site

Spoke
site

A middle ground between Hub-and-Spoke and Full-Mesh topologies

5
Full Mesh

Direct connectivity between all sites

N sites = N (N-1) / 2 tunnels

Internet

10 sites = 45 tunnels !

Efficient for Spoke-to-Spoke traffic

Complex configuration
Not scalable
6
Auto-Discovery VPN (as of FortiOS 5.4)

Direct connectivity between all sites

Static tunnels
Dynamic tunnels
(shortcuts)
« The simplicity of Hub & Spoke
with the
Internet
efficiency of Full-Mesh »

VPN configuration is as simple as configuring a simple Hub & Spoke setup

7
FortiOS ADVPN
On-demand tunnels between Spokes
Shortcut is triggered by data flowing through the
Hub
Static tunnels

Spoke-B

Hub Internet

Spoke-A

9
Shortcut negotiation is orchestrated by the Hub

Static tunnels

Spoke-B

Hub Internet

Spoke-A

10
Shortcut tunnel is established between the Spokes

Static tunnels

Dynamic tunnel (shortcut) Spoke-B

Hub Internet

Spoke-A

11
Spoke-to-Spoke traffic flows through the shortcut

Static tunnels

Dynamic tunnel (shortcut) Spoke-B

Hub Internet

Spoke-A

12
Summary – ADVPN Sequence of Events
Spoke-A Hub Spoke-B

Encrypt IPsec flow

Forward (data plane)
SHORTCUT
Decrypt
OFFER
SHORTCUT IKE flow
QUERY Forward (control plane)

SHORTCUT
Forward REPLY

SHORTCUT NEGOTIATION

Encrypt
Decrypt
[ IKE debug details ] 13
Fortinet Auto-Discovery
VPN
Fortinet ADVPN is a proprietary solution solely based on IKE & IPsec

It is incompatible with Cisco DMVPN which relies on mGRE-over-IPsec and NHRP

IPsec:

- IKEv1 main-mode is supported (pre-shared key & certificate authentication)

- IKEv1 aggressive-mode is supported as of FortiOS 6.0.1 (pre-shared key & certificate authentication)
- IKEv2 is supported as of FortiOS 5.6.1

- Both IPv4 IPsec & IPv6 IPsec are supported

Dynamic Routing:

- BGP and RIPv2/RIPng are supported

- PIM/Multicast is supported as of FortiOS 5.6.1
- OSPF is supported as of FortiOS 6.2
- IS-IS over IPsec is not supported

14
Fortinet Auto-Discovery
VPN
It is mandatory that the Hub runs FortiOS 5.4 (or newer)

The Hub is responsible for triggering the shortcut OFFER and for relaying the shortcut QUERY/REPLY
messages between the Spokes. The Hub must run at least FortiOS 5.4 if shortcuts are desired.

It is not mandatory that all Spokes be FortiGate running FOS 5.4 (or newer)

If a Spoke runs a firmware older than FortiOS 5.4 or if it is an IPsec Gateway from another vendor, it can still
participate to the Hub & Spoke architecture but it will not be able to negotiate shortcuts with other Spokes.

Connecting ADVPN and non-ADVPN IPsec gateways on the same Hub’s phase1 requires specific
configuration on the Hub and the non-ADVPN gateways:

KB article http://kb.fortinet.com/kb/documentLink.do?externalID=FD40359

15
A single ADVPN
Domain
All interconnected ADVPN tunnels belong to the same ADVPN Domain

Use cases:

• I would like to spread the Spokes between my two ISPs (wan1, wan2)
Will the Spokes bound to the phase1 on wan1 be able to establish shortcuts with the Spokes bound to the
phase1 on wan2 ?

Yes, no additional configuration is required to cover this scenario.

• I need to connect two independent Hub & Spoke regions. Is it possible to establish cross-region shortcuts ?

Yes. It requires that an IPsec tunnel be configured between the Hubs of each region. This
scenario is the Reference Architecture used in this document.

• I want to create multiple ADVPN domains. Spokes from a domain can only establish shortcuts with Spokes from the
same domain. Cross-domain shortcuts are not allowed.

FortiOS has no support for ADVPN Domains. All spokes belong to a single ADVPN domain.
Shortcut negotiations can take place between any Spoke of the ADVPN domain.
16
NAT with ADVPN
Hub behind NAT

Support for the Hub being DNATed is supported as of FortiOS 5.6.1

Spokes behind NAT

As of FortiOS 6.4

An ADVPN shortcut can be negotiated between two NATed Spokes so long as their NAT devices perform Endpoint
Independent Mapping (EIM) NAT

EIM NAT = Destination Independent NAT

An internal host with (src-ip, src-port) is always SNATed with the same (nat-src-ip, nat-src-port) regardless of the (dst-ip,
dst-port) being accessed

UDP Hole punching is used by FortiOS to open NAT entries on the NAT devices

Up to FortiOS 6.2

A shortcut can be negotiated between two Spokes only if one of the two Spokes is not NATed. A
shortcut cannot be established between two Spokes that are both NATed.
17
 ADVPN shortcut negotiation between two NATed Spokes – UDP Hole punching
(IP:Port) (A:4500) (NA:1111) (H:4500) (NB:2222) (B:4500)

Spoke-A NAT-Spoke-A Hub NAT-Spoke-B Spoke-B

NAT entry outside inside
NAT entry inside outside
(NB:2222, H:4500)↔(B:4500, H:4500)
(A:4500, H:4500)↔(NA:1111, H:4500)
Data traffic is sent from Spoke-A to Spoke-B via the Hub
Encrypt SNAT
A:4500→H:4500
NA:1111→H:4500
Forward DNAT
H:4500→NB:2222 Decrypt
H:4500→B:4500
Shortcut OFFER
NA:1111←H:4500
A:4500←H:4500 DNAT

Shortcut QUERY SNAT

A:4500→H:4500 Forward DNAT
NA:1111→H:4500
H:4500→NB:2222
H:4500→B:4500
UDP NAT-T keepalive
directly sent to SpokeA
No NAT entry = DROP SNAT
NA:1111←B:4500
NA:1111←NB:2222

NAT entry created (NB:2222, NA:1111)↔(B:4500, NA:1111)

UDP Hole punching = NAT entry created to allow inbound traffic from Spoke-A (NA:1111) EIM
NAT = Spoke-B (B:4500) is always NATed with the same NAT IP:port (NB:2222)
Shortcut REPLY
Forward SNAT
DNAT H:4500←B:4500
A:4500←H:4500 NA:1111←H:4500 H:4500←NB:2222

18
 ADVPN shortcut negotiation between two NATed Spokes – UDP Hole punching
(IP:Port) (A:4500) (NA:1111) (H:4500) (NB:2222) (B:4500)

Spoke-A NAT-Spoke-A Hub NAT-Spoke-B Spoke-B

(NB:2222, NA:1111)↔(B:4500, NA:1111)

Shortcut negotiation
SNAT
A:4500→NB:2222
NA:1111→NB:2222
DNAT
NA:1111→B:4500
(A:4500, NB:2222)↔(NA:1111, NB:2222) NAT entry created

Shortcut negotiation
SNAT
DNAT NA:1111←B:4500
NA:1111←NB:2222
A:4500←NB:2222

After the shortcut negotiation has completed and

the routing has converged over the shortcut, traffic
flows directly between Spoke-A and Spoke-B
Encrypt SNAT
A:4500→NB:2222
NA:1111→NB:2222
DNAT
Decrypt
NA:1111→B:4500

SNAT Encrypt
DNAT NA:1111←B:4500
Decrypt NA:1111←NB:2222
A:4500←NB:2222

19
Lifetime of ADVPN
shortcuts
Interplay between a shortcut tunnel (spoke ↔ spoke) and its parent tunnel (spoke ↔ Hub)

As of FortiOS 6.4.3

A shortcut tunnel can be torn down automatically when its parent tunnel goes down :

config vpn ipsec phase1-interface

edit <tunnel-to-the-Hub>
set auto-discovery-receiver
enable
set auto-discovery-shortcuts
dependent
next
end

By
default,
a
shortcu
t tunnel
is
indepen
dent
from its 20
parent
Lifetime of ADVPN
shortcuts
Interplay between a shortcut tunnel (spoke ↔ spoke) and its parent tunnel (spoke ↔ Hub)

Up to FortiOS 6.4.2

Shortcuts are independent from their parent tunnel

Shortcuts are not automatically brought down when their parent tunnel goes down This
behavior is not configurable

Shortcuts can be torn down when they are idle

config vpn ipsec phase1-interface
edit <tunnel-to-the-Hub>
set idle-timeout enable // default= disable
set idle-timeoutinterval // default=15, range=[5 ; 43200]
<minutes>
next
end

21
Reference Architecture
Dual Region
Interconnecting two independent Hub & Spoke Regions
Dual Region
Underlay

.1 .1
192.168.1.0/24 192.168.101.0/24

Tunnel between Hubs

Paris .1 .101
Madri
Internet d
.254 .254

ISP1 ISP2
198.51.100.0/24 203.0.113.0/24

France0 .2 .103 Spain103

2 France0 .102 Spain10
.3
.254
3 2 .254
.254 .254 192.168.103.0/24
192.168.2.0/24
192.168.3.0/24 192.168.102.0/24 .1
.1
.1 .1

23
Dual Region
Overlay

.1 .1
192.168.1.0/24 192.168.101.0/24
.254
.254

Paris 10.255.255.1/32 10.255.255.2/32 Madri

d
10.10.10.1/24
.1 10.20.20.1/24
.1
.1 .101

.254 .254

ISP1 ISP2
198.51.100.0/24 203.0.113.0/24

10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24

France0 France03 Spain10 .103 Spain103
.2 .3 2
2
.102

.254 .254 .254 .254

192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1

24
 Dual Region
Overlay

.1 .1
192.168.1.0/24 192.168.101.0/24
.254
.254

Paris 10.255.255.1/32 10.255.255.2/32 Madri

d
BGP .1 .1 BGP
.1/24
Each region has a distinct AS 10.10.10
10.20.20.1/24 AS 65100
AS 65000 .1 .101

iBGP is used for intra-region routing .254 .254

ISP1 ISP2
eBGP is used for inter-region routing 198.51.100.0/24 203.0.113.0/24

10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24

France0 France03 Spain10 .103 Spain103
.2 .3 2
2
.102

.254 .254 .254 .254

192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1

25
France Region
Underlay

.1 .1
192.168.1.0/24 192.168.101.0/24

Paris .1 .101
Madri
Internet d
.254 .254

ISP1 ISP2
198.51.100.0/24 203.0.113.0/24

France0 .2 .103 Spain103

2 France0 .102 Spain10
.3
.254
3 2 .254
.254 .254 192.168.103.0/24
192.168.2.0/24
192.168.3.0/24 192.168.102.0/24 .1
.1
.1 .1

26
France Region
Underlay
.1
192.168.1.0/24
.254

Paris

.1

.254

ISP1
198.51.
100.0/2
4

France02 .2 France03 .3

.254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

27
France Region
Overlay
.1
192.168.1.0/24
.254

Paris

10.10.10.1
.1

advpn_0 advpn_1

.254

ISP1
198.51.100.0/24

adpvn adpvn
10.10.10.2 10.10.10.3
France02 .2 France03 .3

.254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

28
 Overlay IPs
Overlay IPs of the Spokes (10.10.10.x) can be provisioned in two ways:
.1
192.168.1.0/24
.254
 Manually on each Spoke Paris
config system interface config system interface
HUB edit "advpn" Spoke edit "advpn" 10.10.10.1
.1

set ip 10.10.10.1/32 set ip 10.10.10.2/32

set remote-ip 10.10.10.254/24 set remote-ip 10.10.10.1/24 advpn_0 advpn_1
next next
.254
end end

ISP1
 Automatically from the Hub using IKE mode-config as of FOS 6.2.2 198.51.100.0/24

config system interface

HUB config system interface
Spoke overlay
edit "advpn" edit "advpn" adpvn adpvn
set ip 10.10.10.1/32 < do not configure an IP here > 10.10.10.0/24
set remote-ip 10.10.10.254/24
next 10.10.10.2 10.10.10.3
end
next
France02 .2 France03 .3
end
config vpn ipsec phase1- config vpn ipsec phase1-interface
interface edit "advpn" .254 .254
edit "advpn" set mode-cfg enable
192.168.2.0/24 192.168.3.0/24
set mode-cfg enable next
end .1 .1
set ipv4-start-ip 10.10.10.2
set ipv4-end-ip 10.10.10.253
set ipv4-netmask
255.255.255.0
next 29
end
IPsec configuration
Hub
 ADVPN Hub configuration
config vpn ipsec phase1-interface
edit "advpn"
/24 .1 set type dynamic
192.168.1.0/24 set net-device disable
The overlay IPs of all ADVPN participants are in the same .254 set tunnel-search nexthop
subnet set interface "wan"
Paris
set proposal aes128-sha1
The mask for the local ip can only be /32 10.10.10.1/24
.1
set auto-discovery-sender enable
set add-route disable
So, the mask for the overlay subnet
set psksecret xxxxxxxx
must be specified in ‘remote-ip’ advpn_0 advpn_1 next
end
set ip 10.10.10.1/32 .254
config vpn ipsec phase2-interface
Set remote-ip 10.10.10.254/24
ISP1 edit "adpvn"
set phase1name "advpn"
198.51.100.0/24
The remote-ip is an unused IP from the set proposal aes128-sha1
overlay subnet next
end
advpn adpvn
config system interface
10.10.10.2/24 10.10.10.3/24 edit "advpn"

France02 France03 .3
set ip 10.10.10.1/32
.2
set remote-ip 10.10.10.254/24
next
.254 .254 end
192.168.2.0/24 192.168.3.0/24
.1 .1

31
 ADVPN Hub configuration
net-device disable config vpn ipsec phase1-interface
edit "advpn"
Default setting for dialup phase1 as of FortiOS 6.0 & 5.6.3 .1 set type dynamic
192.168.1.0/24 set net-device disable
.254 set tunnel-search nexthop
A dedicated interface is no longer created for each dialer set interface "wan"
“advpn” is used as a shared interface Paris
set proposal aes128-sha1
set auto-discovery-sender enable
10.10.10.1/24
.1
set add-route disable
tunnel-search nexthop set psksecret xxxxxxxx
The next-hop IP of the route matched by a packet is used advpn_0 advpn_1 next
end
to decide into which tunnel the packet must be sent
.254
config vpn ipsec phase2-interface
Detailed information about “net-device” setting ISP1 edit "adpvn"
is available in KB Article FD41498 set phase1name "advpn"
198.51.100.0/24
set proposal aes128-sha1
https://kb.fortinet.com/kb/documentLink.do?externalID=FD next
41498 end
adpvn
advpn config system interface
10.10.10.3/24 edit "advpn"
10.10.10.2/24
France02 France03 .3
set ip 10.10.10.1/32
.2
set remote-ip 10.10.10.254/24
next
.254 .254 end
192.168.2.0/24 192.168.3.0/24
.1 .1

32
 ADVPN Hub configuration
config vpn ipsec phase1-interface
edit "advpn"
auto-discovery-sender enable .1 set type dynamic
192.168.1.0/24 set net-device disable
.254
Indicates that when IPsec traffic transits the Hub it should set tunnel-search nexthop
Paris set interface "wan"
send a SHORTCUT-OFFER to the initiator of the traffic
set proposal aes128-sha1
to indicate that it could perhaps establish a more direct set auto-discovery-sender enable
connection (shortcut) 10.10.10.1/24
.1
set add-route disable
set psksecret xxxxxxxx
advpn_0 advpn_1 next
end
add-route disable .254
config vpn ipsec phase2-interface
ensures that IKE does not automatically add a route back over ISP1 edit "adpvn"
set phase1name "advpn"
the spoke and instead leaves routing 198.51.100.0/24
set proposal aes128-sha1
to a separately configured routing protocol next
end
adv adpvn
pn 10.10.10.3/24 config system interface
edit "advpn"
10.1 set ip 10.10.10.1/32
France02 .2 France03 .3
0.10 set remote-ip 10.10.10.254/24
.2/2 next
.254 .254 end
4
192.168.2.0/24 192.168.3.0/24
.1 .1

33
ADVPN Hub configuration config firewall policy
edit 1
set name "To Spokes"
set srcintf "internal"
.1 set dstintf "advpn"
192.168.1.0/24 set srcaddr "all"
.254 set dstaddr "all"
set action accept
Paris
set schedule "always"
set service "ALL"
10.10.10.1
.1 next
edit 2
advpn_0 advpn_1 set name "From Spokes"
set srcintf "advpn"
.254 set dstintf "internal"
set srcaddr "all"
ISP1 set dstaddr "all"
set action
198.51.100.0/24 accept
set schedule "always"
set service "ALL"
adpvn adpvn next
edit 3
10.10.10.2 10.10.10.3 se
t
France02 .2 France03 .3 na
me
"S
.254 .254 po
192.168.2.0/24 192.168.3.0/24 ke
.1
s
.1
to
Sp
ok
es
34
"
 ADVPN Hub configuration This setting is not recommended
and is not supported for SD-WAN

net-device enable .1
192.168.1.0/24 config vpn ipsec phase1-interface
A dedicated interface is created for each dialer
.254 edit "advpn"
set type dynamic
Paris
set interface "wan"
This was FortiOS behavior up to 5.6.2. set net-device enable
10.10.10..11/24 set proposal aes128-sha1
set auto-discovery-sender enable
As of 5.6.3 & 6.0, this behavior is not the default
behavior and is not recommended advpn_0 advpn_1 set add-route disable
set psksecret xxxxxxxx
.254 next
When upgrading from FOS <= 5.6.2 to FOS >= 5.6.3, the end
upgrade process retains the previous behavior by means ISP1
config vpn ipsec phase2-interface
of CLI setting “net-device enable”. 198.51.100.0/24 edit "advpn"
set phase1name "advpn"
set proposal aes128-sha1
It is recommended to change the configuration advpn adpvn next
to “net-device disable” after upgrade
10.10.10.2/24 10.10.10.3/24 end
Detailed information about “net-device” config system interface
France02 .2 France03 .3 edit "advpn"
setting is available in KB Article FD41498
set ip 10.10.10.1/32
https://kb.fortinet.com/kb/documentLink.do?
.254 .254
set remote-ip 10.10.10.254/24
externalID=FD41498 next
192.168.2.0/24 192.168.3.0/24
end
.1 .1

The remote-ip is dummy

It can be any unused IP
35
 ADVPN Hub configuration
config vpn ipsec phase1-interface
edit "advpn"
/32 .1 set type dynamic
192.168.1.0/24 set interface "wan"
.254 set proposal
With FortiOS 5.4.x & 5.6.[0-2], a tunnel interface aes128-sha1
Paris
can only be a point-to-point interface. set auto-discovery-sender enable
set add-route disable
10.10.10..11/32 set psksecret xxxxxxxx
The only possible mask is /32
next
advpn_0 advpn_1 end
A /32 host IP address is configured as overlay IP config vpn ipsec phase2-interface
.254 edit "advpn"
The remote-ip is dummy set phase1name "advpn"
ISP1 set proposal aes128-sha1
It can be any unused IP next
198.51.100.0/24
end

config system interface

advpn adpvn edit "advpn"
10.10.10.2 10.10.10.3 set ip 10.10.10.1/32
set remote-ip 10.10.10.254
next
France02 .2 France03 .3
end

.254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

36
IPsec configuration
Spoke
 ADVPN Spoke configuration
/24 .1
192.168.1.0/24
The overlay IPs of all ADVPN participants are in the same .254
subnet
Paris
The mask for the local ip can only be /32 10.10.10.1
.1
So, the mask for the overlay subnet
must be specified in ‘remote-ip’ advpn_0 advpn_1
set ip 10.10.10.2/32 .254
Set remote-ip 10.10.10.1/24
ISP1
198.51.100.0/24 config system interface
edit "advpn"
The overlay IP of the Hub is used as remote-ip
set ip 10.10.10.2/32
adpvn set remote-ip 10.10.10.1/24
10.10.10.2/24 next
end
France02 .2 France03 .3

.254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

38
 ADVPN Spoke configuration “net-device disable” for shortcuts

This configuration is not supported for SD-WAN

net-device disable
Default setting for static phase1 introduced in FortiOS 6.2.1 .1
192.168.1.0/24
.254
A dynamic interface is no longer created for each shortcut config vpn ipsec phase1-interface
Paris edit "advpn"
“advpn” is used as a shared interface by all shortcuts set type static
10.10.10.1
.1 set interface "wan"
This setting is not supported for SD-WAN members This set net-device disable
advpn_0 advpn_1 set tunnel-search nexthop
tunnel is not supported as an SD-WAN member set proposal aes128-sha1
.254 set auto-discovery-receiver enable
tunnel-search nexthop set add-route disable
set remote-gw 198.51.100.1
The next-hop IP of the route matched by a packet is used ISP1 set psksecret xxxxxxxx
to decide into which tunnel shortcut the packet must be sent 198.51.100.0/24 next
end

adpvn config vpn ipsec phase2-interface

auto-discovery-receiver enable edit "advpn"
10.10.10.2/24 set phase1name "advpn"
set proposal aes128-sha1
To indicate that this IPsec tunnel wishes to
France02 .2 France03 .3 next
participate in an Auto-Discovery VPN end
(i.e., receive SHORTCUT-OFFER)
.254 .254 config system interface
edit "advpn"
add-route disable 192.168.2.0/24 192.168.3.0/24
.1 .1
set ip 10.10.10.2/32
set remote-ip 10.10.10.1/24
ensures that IKE does not automatically next
add a route back over the spoke end
39
 ADVPN Spoke configuration “net-device enable” for shortcuts

net-device enable
.1
A dedicated interface is created for each shortcut 192.168.1.0/24
.254
config vpn ipsec phase1-interface
This setting is needed if this tunnel is an SD-WAN member Paris edit "advpn"
set type static
auto-discovery-receiver enable 10.10.10.1
.1 set interface "wan"
set net-device enable
advpn_0 advpn_1 set proposal aes128-sha1
To indicate that this IPsec tunnel wishes to set auto-discovery-receiver enable
participate in an Auto-Discovery VPN .254
set add-route disable
(i.e., receive SHORTCUT-OFFER) set remote-gw 198.51.100.1
set psksecret xxxxxxxx
ISP1 next
add-route disable 198.51.100.0/24 end

ensures that IKE does not automatically config vpn ipsec phase2-interface
add a route back over the spoke adpvn edit "advpn"
set phase1name "advpn"
10.10.10.2/24 set proposal aes128-sha1
next
France02 .2 France03 .3 end

config system interface

.254 .254 edit "advpn"
192.168.2.0/24 192.168.3.0/24 set ip 10.10.10.2/32
.1 .1 set remote-ip 10.10.10.1/24
next
end

40
 ADVPN Spoke configuration
config firewall policy
edit 1
set name "To Hub/Spokes" .1
set srcintf "internal" 192.168.1.0/24
set dstintf "advpn" .254
set srcaddr "all"
Paris
set dstaddr
"all" set action
accept 10.10.10.1
.1
set schedule "always"
set service "ALL" advpn_0 advpn_1
next
edit 2 .254
set name "From Hub/Spokes"
set srcintf "advpn" ISP1
set dstintf "internal"
set srcaddr "all" 198.51.100.0/24
set dstaddr "all"
set action
accept adpvn adpvn
set schedule
"always" 10.10.10.2 10.10.10.3
set service "ALL"
next France02 .2 France03 .3
end

.254 .254
No specific policies are needed 192.168.3.0/24
192.168.2.0/24
Traffic to/from
for traffic other
to/from Spokes
other is
Spokes. .1 .1
checked against the policies
to/from the Hub
41
ADVPN with BGP
iBGP with Route-Reflector
 iBGP – Route Reflector (RR) and RR-Clients
Paris # get router info bgp network
BGP table version is 4, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal, .1
S Stale 192.168.1.0/24
.254
Origin codes: i - IGP, e - EGP, ? - incomplete
Pari
Network Next Hop Metric LocPrf Weight BGP
s Route Reflector
*> 192.168.1.0
Path 0.0.0.0 100 32768 i
*>i192.168.3.0 10.10.10.3 0 100 0 i 10.10.10.1
.1

Total number of prefixes 2

advpn_0 advpn_1
BGP Update:
.254
Prefix= 192.168.3.0/24
iBGP ASIS6P51000 iBGP Next-Hop = 10.10.10.3
198.51.100.0/24

advpn advpn
10.10.10.2 10.10.10.3
France02 .2 France03
RR-Client .3
.254
RR-Client
192.168.3.0/24
192.168.2.0/24
.254
.1 .1

43
 iBGP – Route Reflector (RR) and RR-Clients
Paris # get router info bgp network
BGP table version is 4, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal, .1
S Stale
192.168.1.0/24
.254
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Paris BGP Route Reflector
*> 192.168.1.0 0.0.0.0 100 32768 i
*>i192.168.3.0 10.10.10.3 0 100 0 10.10.10.1
.1
i
Total number of prefixes 2
advpn_0 advpn_1
BGP Update: .254

Prefix= 192.168.3.0/24 iBGP ISP1 iBGP

Next-Hop = 10.10.10.3 198.51.100.0/24

France02 # get router info bgp network

BGP table version is 4, local router ID is 10.10.10.2 advpn advpn
Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal, 10.10.10.2 10.10.10.3
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete France02 France03 .3
.2
Network Next Hop Metric LocPrf Weight Path
*>i192.168.1.0 10.10.10.1 0 100 0 i
*> 192.168.2.0 0.0.0.0 100 32768 i .254 .254
*>i192.168.3.0 10.10.10.3 0 100 0 i 192.168.2.0/24 192.168.3.0/24
.1 .1
Total number of prefixes 3

44
 iBGP Next Hop Reachability
The ADVPN overlay subnet is defined on the tunnel interface:
config system interface .1
edit "advpn" 192.168.1.0/24
set ip .254
255.255.255.255
10.10.10.2
set remote-ip 10.10.10.1 255.255.255.0 Paris BGP Route Reflector
next
end 10.10.10.1
.1

advpn_0 advpn_1

.254
BGP Next-Hop must be accessible
iBGP ISP1 iBGP
through the tunnel 198.51.100.0/24

France02 # get router info bgp network

BGP table version is 4, local router ID is 10.10.10.2 advpn advpn
Status codes: s suppressed, d damped, h history, * valid, > best,
i - internal, 10.10.10.2/24 10.10.10.3
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete France02 France03 .3
.2
Network Next Hop Metric LocPrf Weight Path
*>i192.168.1.0 10.10.10.1 0 100 0 i
*> 192.168.2.0 0.0.0.0 100 32768 i .254 .254
*>i192.168.3.0 10.10.10.3 0 100 0 i 192.168.2.0/24 192.168.3.0/24
.1 .1
Total number of prefixes 3

45
 No shortcut – BGP Next-Hop is reached via the
Hub
The ADVPN overlay subnet is defined on the tunnel interface:
.1
France02 # get router info routing-table connected 192.168.1.0/24
(…) .254

C 10.10.10.0/24 is directly connected, advpn Paris BGP Route Reflector

(…)
10.10.10.1
.1

France02 # get router info routing-table details 10.10.10.3 advpn_0 advpn_1

Routing entry for 10.10.10.0/24
.254
Known via "connected", distance 0, metric 0, best
* is directly connected, advpn
iBGP ISP1 iBGP
198.51.100.0/24

advpn advpn
10.10.10.2/24 10.10.10.3
France02 .2 France03 .3
BGP Next-Hop of France03 Spoke (10.10.10.3)
is accessible via advpn connected subnet .254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

46
 No shortcut – RIB lookup
France02 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
.1
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 -
192.168.1.0/24
OSPF external type 1, E2 - OSPF external type 2 .254
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area Paris BGP Route Reflector
* - candidate default
10.10.10.1
.1
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan
C 10.10.10.0/24 is directly connected, advpn
10.10.10.2/32 is directly connected, advpn_0 advpn_1
C advpn
.254
B 192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 00:31:43
192.168.2.0/24 is directly connected, internal
C 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 00:31:43 iBGP ISP1 iBGP
198.51.100.0/24
B
C 198.51.100.0/24 is directly connected, wan

advpn advpn
10.10.10.2/24 10.10.10.3
France02 .2 France03 .3

Spoke-to-Spoke traffic flows through the Hub

.254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

47
 Shortcut tunnels with a shared interface “net-device disable” for shortcuts
This configuration is not supported for SD-WAN
France02 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
.1
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
192.168.1.0/24
E1 - OSPF external type 1, E2 - OSPF external type 2 .254
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area Paris BGP Route Reflector
* - candidate default
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 10.10.10.1
.1

C 10.10.10.0/24 is directly connected, advpn advpn_0 advpn_1

10.10.10.2/32 is directly connected,
C advpn
.254
B 192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 00:36:51
192.168.2.0/24 is directly connected, internal
C 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 00:36:51 iBGP ISP1 iBGP
198.51.100.0/24
B
C 198.51.100.0/24 is directly connected, wan
shorcut
advpn advpn
10.10.10.2/24 10.10.10.3
A shortcut tunnel is created France02 .2
advpn_0
France03
.3
name = <phase1name>_<index> advpn_0
.254
.254
192.168.2.0/24
Route to France03 remains unchanged .1 192.168.3.0/24
It stays associated to the interface towards the Hub .1

which is used as well as a shared interface for

all shortcuts (‘set net-device disable’) 48
 Shortcut tunnels with a shared interface “net-device disable” for shortcuts
This configuration is not supported for SD-WAN
France02 # get router info routing-table bgp | grep 192.168.3
B 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 00:36:51

France02 # diag vpn tunnel list name advpn

list ipsec tunnel by names in vd 0

name=advpn ver=1 serial=1 198.51.100.2:0->198.51.100.1:0 dst_mtu=1500

bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/544 options[0220]=search-nexthop frag-rfc
run_state=0 accept_traffic=1
Tunnel ‘advpn’ contains
proxyid_num=1 child_num=1 refcnt=18 ilast=1 olast=1 ad=r/2
stat: rxp=1177 txp=1027 rxb=151752 txb=64843 two types of information:
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=advpn proto=0 sa=1 ref=2 serial=1 adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0 1- the IPsec Security Association
SA: ref=3 options=32202 type=00 soft=0 mtu=1438
expire=38619/0B replaywin=2048
for the tunnel with the Hub
seqno=3c0 esn=0 replaywin_lastseq=00000456 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=93730178 esp=aes key=16 af818f5b74f7acd6bf41d9303757ac41
ah=sha1 key=20 5dd0e6dbb4dd7b5d0a56ebc02465b575214b03f5
enc: spi=3292ee38 esp=aes key=16 d1768bc8b7ac5d08a63595c914f377eb
ah=sha1 key=20 5458ec899ebe5fc680c2ce4290b7a3601272e2e6
dec:pkts/bytes=1109/67470,
run_tally=2 enc:pkts/bytes=959/122920
ipv4 route tree:
10.10.10.3 0 2- the ‘route tree’ for the shortcut tunnels
198.51.100.3 0 49
 Shortcut tunnels with a shared interface “net-device disable” for shortcuts
This configuration is not supported for SD-WAN
France02 # get router info routing-table bgp | grep 192.168.3
B 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 00:36:51

France02 # diag vpn tunnel list name advpn

list ipsec tunnel by names in vd 0

name=advpn ver=1 serial=1 198.51.100.2:0->198.51.100.1:0 dst_mtu=1500

bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/544 options[0220]=search-nexthop frag-rfc
run_state=0 accept_traffic=1

proxyid_num=1 child_num=1 refcnt=18 ilast=1 olast=1 ad=r/2

(...)
(... truncated for brevity...)
(...)
dec:pkts/bytes=1109/67470, enc:pkts/bytes=959/122920
run_tally=2

ipv4 route tree:

10.10.10.3 0 Traffic destined to next-hop 10.10.10.3 is forwarded to shortcut tunnel
198.51.100.3 0 with index 0 (i.e., adpvn_0)

Spoke-to-Spoke traffic flows through the shortcut

50
 Shortcut tunnels with a dedicated interface “net-device enable” for shortcuts

France02 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
.1
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
192.168.1.0/24
E1 - OSPF external type 1, E2 - OSPF external type 2 .254
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area Paris BGP Route Reflector
* - candidate default
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 10.10.10.1
.1

C 10.10.10.0/24 is directly connected, advpn advpn_0 advpn_1

10.10.10.2/32 is directly connected,
C advpn
.254
C is directly connected, advpn_0
10.10.10.3/32 is directly connected, advpn_0
iBGP ISP1 iBGP
B 192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 02:38:15 198.51.100.0/24
192.168.2.0/24 is directly connected, internal
C 192.168.3.0/24 [200/0] via 10.10.10.3, advpn_0, 00:00:28
shorcut
advpn advpn
B
C 198.51.100.0/24 is directly connected, wan
10.10.10.2 10.10.10.3
France02 .2 France03
advpn_0
A shortcut tunnel is created .3
advpn_0
and .254

A dynamic interface is created as well 192.168.2.0/24 .254

192.168.3.0/24
.1
(‘set net-device enable’) .1

Shortcut tunnel & interface names = <phase1name>_<index> 51

 Shortcut tunnels with a dedicated interface “net-device enable” for shortcuts

France02 # get router info routing-table all

(...) .1
C 10.10.10.2/32 is directly connected, advpn 192.168.1.0/24
.254
is directly connected, advpn_0
(...) Paris BGP Route Reflector
France02 # diag ip address list | grep advpn 10.10.10.1
.1
IP=10.10.10.2->10.10.10.1/255.255.255.255 index=15 devname=advpn advpn_0 advpn_1
IP=10.10.10.2- devname=advpn_0
>10.10.10.3/255.255.255.255 index=19 .254

iBGP ISP1 iBGP

198.51.100.0/24
The same overlay IP (10.10.10.2)
is assigned to: shorcut
advpn advpn
10.10.10.2 10.10.10.3
- the interface towards the Hub (adpvn)
France02 France03
- the interface towards France03 Spoke (adpvn_0) .2
advpn_0 .3
advpn_0
.254
.254
192.168.2.0/24
.1 192.168.3.0/24
.1

52
 Shortcut tunnels with a dedicated interface “net-device enable” for shortcuts

France02 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
.1
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
192.168.1.0/24
E1 - OSPF external type 1, E2 - OSPF external type 2 .254
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area Paris BGP Route Reflector
* - candidate default
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 10.10.10.1
.1

C 10.10.10.0/24 is directly connected, advpn advpn_0 advpn_1

10.10.10.2/32 is directly connected,
C advpn
.254
C 10.10.10.3/32 is directly connected, advpn_0 Added by IKE
advpn_0
iBGP ISP1 iBGP
B 192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 02:38:15 198.51.100.0/24
192.168.2.0/24 is directly connected, internal
C 192.168.3.0/24 [200/0] via 10.10.10.3, advpn_0, 00:00:28
shorcut
advpn advpn
B
C 198.51.100.0/24 is directly connected, wan
10.10.10.2 10.10.10.3
France02 .2 France03
advpn_0 .3
The BGP Next-Hop of France03 advpn_0
.254
(10.10.10.3) is directly connected on the 192.168.2.0/24 .254

shortcut interface .1 192.168.3.0/24

.1

53
 Shortcut tunnels with a dedicated interface “net-device enable” for shortcuts

France02 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
.1
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
192.168.1.0/24
E1 - OSPF external type 1, E2 - OSPF external type 2 .254
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area Paris BGP Route Reflector
* - candidate default
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 10.10.10.1
.1

C 10.10.10.0/24 is directly connected, advpn advpn_0 advpn_1

10.10.10.2/32 is directly connected,
C advpn
.254
C 10.10.10.3/32 is directly connected, advpn_0
advpn_0 Added by IKE
iBGP ISP1 iBGP
B 192.168.1.0/24 [200/0] via 10. 10.10.1, advpn, 02:38:15 198.51.100.0/24
192.168.2.0/24 is dire ctly nected, internal
con
C 192.168.3.0/24 [200/0] , advpn_0, 00:00:28
via 10.10.10.3 shorcut
advpn advpn
B
C 198.51.100.0/24 is directly connected, wan
10.10.10.2 10.10.10.3
France02 .2 France03
advpn_0 .3
Spoke-to-Spoke traffic flows through the shortcut advpn_0
.254
.254
192.168.3.0/24
192.168.2.0/24
.1 .1

54
ADVPN with BGP
configuration
 Hub configuration = iBGP Route Reflector
(RR)
config router bgp
set as 65000 .1
192.168.1.0/24
set router-id 10.10.10.1 .254
config neighbor-group
edit "advn_peers"
Paris BGP Route Reflector
set remote-as 10.10.10.1
.1
65000
set route- advpn_0 advpn_1
reflector-client
enable
config neighbor-range .254
next
edit 1
end set prefix iBGP ASIS6P5100 iBGP
10.10.10.0 0
255.255.255.0 198.51.100.0/24

set neighbor- advpn overlay advpn

group 10.10.10.0/24
10.10.10.2 10.10.10.3
"advn_peers"
next France02 .2 France03
end
config network .3
RR-Client
edit 1 .254
RR-Client
set prefix 192.168.2.0/24
.254
192.16 .1
192.168.3.0/24
8.1.0 .1
255.25
5.255.
56
0
 Hub configuration = iBGP Route Reflector
(RR)
config router bgp
set as 65000 .1
192.168.1.0/24
set router-id 10.10.10.1 .254
config neighbor-group
edit
Paris BGP Route Reflector
"advn_peers" 10.10.10.1
.1
set remote-as
65000 advpn_0 advpn_1
set route-
reflector-
config neighbor-range .254
client
edit 1 enable
next set prefix 10.10.10.0 255.255.255.0 iBGP ASIS6P5100 iBGP
end set neighbor-group "advn_peers" 0
198.51.100.0/24
next
end advpn overlay advpn
config network 10.10.10.0/24
10.10.10.2 10.10.10.3
edit 1
set prefix France02 .2 France03 .3
192.16
8.1.0
RR-Client RR-Client
.254 .254
end 255.25
192.168.2.0/24 192.168.3.0/24
5.255.
.1 .1
0
next
end
57
 Hub configuration = iBGP Route Reflector
(RR)
config router bgp
set as 65000 .1
192.168.1.0/24
set router-id 10.10.10.1 .254
config neighbor-group
edit "advn_peers"
Paris BGP Route Reflector
set remote-as 65000 10.10.10.1
.1
set route-reflector-client enable
next advpn_0 advpn_1
end
config neighbor-range .254
edit 1
set prefix iBGP ASIS6P5100 iBGP
198.51.100.0/24
10.10.10.0 0
255.255.255.0
set neighbor- advpn overlay advpn
group 10.10.10.0/24
10.10.10.2 10.10.10.3
"advn_peers"
next France02 .2 France03 .3
end
config network
RR-Client RR-Client
.254 .254
end edit 1
192.168.2.0/24 192.168.3.0/24
set prefix
.1 .1
192.16
8.1.0
255.25
5.255. 58
 Hub configuration = iBGP Route Reflector
(RR)
config router bgp
set as 65000 .1
192.168.1.0/24
set router-id 10.10.10.1 .254
config neighbor-group
edit "advn_peers"
Paris BGP Route Reflector
set remote-as 10.10.10.1
.1
65000
set route-reflector-client enable
next advpn_0 advpn_1
end
config neighbor-range .254
edit 1
set prefix iBGP ASIS6P5100 iBGP
10.10.10.0 0
198.51.100.0/24
255.255.255.0
set neighbor- advpn overlay advpn
group 10.10.10.0/24
10.10.10.2 10.10.10.3
"advn_peers"
next France02 .2 France03 .3
end
config network
RR-Client RR-Client
.254 .254
end edit 1
192.168.2.0/24 192.168.3.0/24
set prefix
.1 .1
192.16
8.1.0
255.25
5.255. 59
 Hub configuration = iBGP Route Reflector
(RR)
config router bgp
set as 65000 .1
192.168.1.0/24
set router-id 10.10.10.1 .254
config neighbor-group
edit "advn_peers"
Paris BGP Route Reflector
set remote-as 10.10.10.1
.1
65000
set route- advpn_0 advpn_1
reflector-client
enable .254
next
end iBGP ASIS6P5100 iBGP
config neighbor-range 0
edit 1 198.51.100.0/24

end set prefix advpn overlay advpn

10.10.10.0
config network 10.10.10.0/24
10.10.10.2 10.10.10.3
255.255.255.0
edit 1
neighbor-
set prefix France02 .2 France03 .3
group
192.16
"advn_peers"
8.1.0
RR-Client RR-Client
.254 .254
end next 255.25
192.168.2.0/24 192.168.3.0/24
5.255.
.1 .1
0
next
end
60
 Spoke configuration = iBGP RR-Client

.1
192.168.1.0/24
.254

Paris BGP Route Reflector

10.10.10.1
.1

advpn_0 advpn_1

.254

config router bgp iBGP iBGP

ASIS6P5100
set as 65000
set router-id 0
198.51.100.0/24
config neighbor
10.10.10.2 overlay
edit "10.10.10.1" advpn advpn
set remote-as 65000
10.10.10.0/24
10.10.10.2 10.10.10.3
next
end France02 .2 France03 .3
config network RR-Client RR-Client
edit 1 .254 .254
set prefix 192.168.3.0/24
192.168.2.0/24
192.16 .1 .1
8.2.0
end 255.25
5.255.
61
0
 Spoke configuration = iBGP RR-Client

.1
192.168.1.0/24
.254

Paris BGP Route Reflector

10.10.10.1
.1

advpn_0 advpn_1

.254
config router bgp iBGP iBGP
set as 65000 ASIS6P5100
198.51.100.0/24
set router-id 10.10.10.2 0
config neighbor
advpn overlay advpn
edit "10.10.10.1"
set remote-as 65000
10.10.10.0/24
10.10.10.2 10.10.10.3
next
end France02 .2 France03 .3
config network RR-Client RR-Client
edit 1 .254 .254
set prefix 192.168.2.0 255.255.255.0 192.168.3.0/24
192.168.2.0/24
next .1 .1
end
end
62
 Spoke configuration = iBGP RR-Client

.1
192.168.1.0/24
.254

Paris BGP Route Reflector

10.10.10.1
.1

advpn_0 advpn_1

.254
config router bgp iBGP iBGP
ASIS6P5100
set as 65000
set router-id 10.10.10.2 0
198.51.100.0/24
config neighbor overlay
edit "10.10.10.1" advpn advpn
set remote-as 65000
10.10.10.0/24
10.10.10.2 10.10.10.3
next
end France02 .2 France03 .3
config network RR-Client RR-Client
edit 1 .254 .254
set prefix 192.168.2.0 255.255.255.0 192.168.3.0/24
192.168.2.0/24
next .1 .1
end
end
63
ADVPN with OSPF
configuration
OSPF configuration
 Filter overlay IPs
Overlay IPs (10.10.10.x/32) are exchanged via ADVPN and via OSPF
The overlay IPs learned from OSPF must be filtered out from the RIB

config router prefix-list

edit "PFL_filter_overlay_IPs"
set comments "Filter the overlay IPs 10.10.10.*/32 from LSDB to RIB"
config rule
edit 1
set action deny
set prefix 10.10.10.0 255.255.255.0 config router ospf
set ge 32 (...)
set le 32 set distribute-lis t-in "PFL_filter_overlay_IPs"
next (...)
edit 2
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
next
end

65
 OSPF configuration
 Prevent traffic from transiting via Spokes

OSPF adjacencies are established over the shortcut tunnels

Each ADVPN participant has a global view of all the links (Hub↔Spoke and Spoke↔Spoke)

If no care is taken, traffic between two Spokes (A and B) may transit via another Spoke (T)

Only the Hub can orchestrate a shortcut negotiation between two Spokes
If data traffic between two Spokes (A and B) transits via another Spoke (T) then no shortcut can
be established between A and B

The Hub→Spoke OSPF cost and the Spoke→Hub OSPF cost must be configured in such a way that it
is less expensive to transit via the Hub than to transit via another Spoke

66
 OSPF configuration
 Prevent traffic from transiting 192.168.1.0/24
.1

.254

via Spokes Paris

10.10.10.1/24
cost=1
.1
France02 → Hub → France04

The path cost via the Hub is 101

ISP1
198.51.100.0/24
France02 → France03 → France04

The path cost via France03 is 200

10.10.10.2/24 10.10.10.3/24 10.10.10.4/24 10.10.10.5/24
France02 France03 .4 France04 .5 France05
.2 .3

.254 cost=100 .254 .254 .254

cost=100
192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24

.1 .1 .1 .1

67
 Hub OSPF configuration config router ospf
set router-id 10.10.10.1
set distribute-list-in "PFL_filter_overlay_IPs"
distribut-list-in “PFL_filter_overlay_IPs” config area
Filter the overlay tunnel IPs (10.10.10.x/32) edit 0.0.0.0
.1
192.168.1.0/24 next
.254 end
The overlay IPs are advertised by ADVPN protocol config ospf-interface
and by OSPF Paris edit "advpn"
Filter out the overlay IPs learned from OSPF and only set interface

keep those advertised by ADVPN itself 10.10.10.1.1 "advpn"

set network-type point-to-multipoint
advpn set mtu-ignore enable
OSPF point-to-multipoint set cost 1
set hello-interval 10
cost 1 .254
set dead-interval 40
When no shortcut is established between two Spokes, next
Area ISP1
0.0.0.0 end
Spoke↔Spoke traffic should prefer flowing through the 198.51.100.0/24 config network
Hub than flowing through another Spoke edit 1
set prefix
OSPF cost of “SpokeA→ Hub → SpokeB” path advpn overlay advpn 10.10.
must be less than the OSPF cost of 10.10.10.0/24 10.0prefix 192.168.1.0 255.255.255.0
set
10.10.10.2 10.10.10.3 next255.25
“SpokeA → SpokeT → SpokeB” path end 5.255.
France02 .2 France03 .3 end 0
next edit
2
.254 .254

192.168.2.0/24 192.168.3.0/24
.1 .1

68
 Hub OSPF configuration config router ospf
set router-id 10.10.10.1
set distribute-list-in "PFL_filter_overlay_IPs"
network-type point-to-multipoint config area
With the default of “net-device disable” configured for the phase1, edit 0.0.0.0
.1
next
multiple OSPF adjacencies can be established over the “advpn” 192.168.1.0/24
end
.254
tunnel interface config ospf-interface
OSPF type for this interface is therefore “point-to-multipoint” Paris edit "advpn"
set interface

mtu-ignore enable
10.10.10.1.1 "advpn"
set network-type point-to-multipoint
advpn set mtu-ignore enable
Multiple tunnels with possibly different MTUs (e.g., NATed OSPF point-to-multipoint set cost 1
Spokes) are associated to the same interface set hello-interval 10
.254
MTU must be ignored during OSPF adjacency negotiation set dead-interval 40
next
AreaISP1
0.0.0.0 end
198.51.100.0/24 config network
hello-interval 10 , dead-interval 40 edit 1
set prefix
The default timers for “point-to-multipoint” OSPF interfaces overlay
are 30 seconds for the Hello timer and 120 seconds advpn advpn 10.10.
10.10.10.0/24 10.0prefix 192.168.1.0 255.255.255.0
set
for the Dead timer 10.10.10.2 10.10.10.3 next255.25
end 5.255.
France02 .2 France03 .3 end 0
OSPF timers must match between Peers next edit
2
These two CLI settings set the timers to the .254 .254
default values used by OSPF “point-to-point” 192.168.2.0/24 192.168.3.0/24
interfaces .1 .1

69
 Hub OSPF configuration Hub configured with “net-device enable”
This configuration is not recommended and is not supported for SD-WAN

distribut-list-in “PFL_filter_overlay_IPs”
Filter the overlay tunnel IPs (10.10.10.x/32) .1
192.168.1.0/24
.254 config router ospf
The overlay IPs are advertised by ADVPN protocol set router-id 10.10.10.1
and by OSPF Paris set distribute-list-in "PFL_filter_overlay_IPs"
config area
Filter out the overlay IPs learned from OSPF and only
keep those advertised by ADVPN itself 10.10.10.1
.1 edit 0.0.0.0
next
advpn end
OSPF point-to-point config ospf-interface
edit "advpn"
cost 1 .254 set interface
When no shortcut is established between two Spokes, "advpn"
ISP1
Area 0.0.0.0 set network-type
Spoke↔Spoke traffic should prefer flowing through the 198.51.100.0/24 point-to-
Hub than flowing through another Spoke point
set mtu-ignore enable
OSPF cost of “SpokeA→ Hub → SpokeB” path advpn overlay advpn set cost 1
10.10.10.0/24 next edit 1
must be less than the OSPF cost of 10.10.10.2 10.10.10.3
end set prefix 10.10.10.0 255.255.255.0
“SpokeA → SpokeT → SpokeB” path config next
network
France02 .2 France03 .3 edit 2
set prefix 192.168.1.0 255.255.255.0
next
.254 .254 end
end
192.168.2.0/24 192.168.3.0/24
.1 .1

70
 Hub OSPF configuration Hub configured with “net-device enable”
This configuration is not recommended and is not supported for SD-WAN

network-type point-to-point
With “net-device enable” configured for the phase1, an interface .1
“advpn_xx” is dynamically created along with the “advpn_xx” 192.168.1.0/24 config router ospf
.254
tunnel itself. set router-id 10.10.10.1
Paris set distribute-list-in "PFL_filter_overlay_IPs"
A single OSPF adjacency is established over the dedicated config area
tunnel interface “advpn_xx”. edit 0.0.0.0
10.10.10.1
.1
next
The OSPF type for this interface is therefore “point-to-point” advpn end
OSPF point-to-point config ospf-interface
edit "advpn"
mtu-ignore enable .254 set interface
If all the ADVPN Spokes are configured "advpn"
with “net-device enable” for their ADVPN phase1 AreaISP01.0.0.0 set network-type point-to-point
set mtu-ignore enable
198.51.100.0/24
then this setting is not needed set cost 1
next
If at least one ADVPN Spoke is configured with advpn overlay advpn
end
config network
“net-device disable” for its ADVPN phase1 then it 10.10.10.0/24 edit 1 prefix 10.10.10.0 255.255.255.0
set
is recommended to ignore the MTU during OSPF 10.10.10.2 10.10.10.3 next
negotiation edit 2
France02 .2 France03 .3 se
t
end pr
.254 .254
end ef
192.168.2.0/24 192.168.3.0/24 ix
.1 .1 19
2.
16
8.
1.
71
0
 Spoke OSPF configuration “net-device disable” for shortcuts
This configuration is not supported for SD-WAN

distribut-list-in “PFL_filter_overlay_IPs”
Filter the overlay tunnel IPs (10.10.10.x/32) .1
192.168.1.0/24
.254
The overlay IPs are advertised by ADVPN protocol
and by OSPF Paris
Filter out the overlay IPs learned from OSPF and only
10.10.10.1
.1 config router ospf
keep those advertised by ADVPN itself set router-id 10.10.10.2
advpn set distribute-list-in "PFL_filter_overlay_IPs"
config area
edit 0.0.0.0
cost 100 .254
next
When no shortcut is established between two Spokes, end
AreaISP01.0.0.0 config ospf-interface
Spoke↔Spoke traffic should prefer flowing through the 198.51.100.0/24 edit "advpn"
Hub than flowing through another Spoke set interface
"advpn"
OSPF cost of “SpokeA→ Hub → SpokeB” path
OSPF point-to-multipoi
advpn n
o v t advpn set network-type
must be less than the OSPF cost of 10.10.10.0/24 point-to-
set cost 100
10.10.10.2 10.10.10.3 multipoint
set hello-interval 10
“SpokeA → SpokeT → SpokeB” path erlay set set
mtu-ignore
dead-interval 40
France02 .2 France03 .3 nextenable
end
config network
.254 .254 edit 1
192.168.3.0/24 set prefix
192.168.2.0/24
10.10.
.1 .1
10.0
255.25
set prefix 192.168.2.0 255.255.255.0
next5.255.
end 0
next edit
end 72
2
 Spoke OSPF configuration “net-device disable” for shortcuts
This configuration is not supported for SD-WAN

network-type point-to-multipoint
With the default of “net-device disable” configured for the phase1, .1
multiple OSPF adjacencies can be established over the “advpn” 192.168.1.0/24
.254
tunnel interface
OSPF type for this interface is therefore “point-to-multipoint” Paris

10.10.10.1
.1 config router ospf
mtu-ignore enable set router-id 10.10.10.2
advpn set distribute-list-in "PFL_filter_overlay_IPs"
Multiple tunnels with possibly different MTUs (e.g., NATed
config area
Spokes) are associated to the same interface edit 0.0.0.0
.254
MTU must be ignored during OSPF adjacency negotiation next
end
AreaISP01.0.0.0 config ospf-interface
198.51.100.0/24 edit "advpn"
hello-interval 10 , dead-interval 40 set interface
"advpn"
The default timers for “point-to-multipoint” OSPF point-to-multipoi n t
OSPF interfaces are 30 seconds for the Hello timer
advpn o v advpn set network-type
10.10.10.0/24 point-to-
set cost 100
and 120 seconds for the Dead timer 10.10.10.2 10.10.10.3 multipoint
set hello-interval 10
erlay set set
mtu-ignore
dead-interval 40
France02 .2 France03 .3 nextenable
OSPF timers must match between Peers end
config network
These two CLI settings set the timers to the .254 .254 edit 1
default values used by OSPF “point-to-point” 192.168.3.0/24 set prefix
192.168.2.0/24
10.10.
interfaces .1 .1
10.0
255.25
set prefix 192.168.2.0 255.255.255.0
next5.255.
end 0
next edit
end 73
2
 Spoke OSPF configuration “net-device enable” for shortcuts

distribut-list-in “PFL_filter_overlay_IPs”
Filter the overlay tunnel IPs (10.10.10.x/32) .1
192.168.1.0/24
.254
The overlay IPs are advertised by ADVPN protocol
and by OSPF Paris
Filter out the overlay IPs learned from OSPF and only
10.10.10.1
.1 config router ospf
keep those advertised by ADVPN itself set router-id 10.10.10.2
advpn set distribute-list-in "PFL_filter_overlay_IPs"
config area
edit 0.0.0.0
cost 100 .254
next
When no shortcut is established between two Spokes, end
AreaISP01.0.0.0 config ospf-interface
Spoke↔Spoke traffic should prefer flowing through the 198.51.100.0/24 edit "advpn"
Hub than flowing through another Spoke set interface
OSPF overlay
"advpn"
OSPF cost of “SpokeA→ Hub → SpokeB” pathpoint-to- advpn advpn set network-type point-to-point
must be less than the OSPF cost of 10.10.10.0/24 mtu-ignore
set cost 100 enable
point10.10.10.2 10.10.10.3 next
“SpokeA → SpokeT → SpokeB” path end
France02 .2 France03 .3 config network
edit 1
set prefix 10.10.10.0 255.255.255.0
.254 .254 next
192.168.3.0/24 edit 2
192.168.2.0/24
se
.1 .1
t
pr
end ef
ix
19 74
2.
 Spoke OSPF configuration “net-device enable” for shortcuts

network-type point-to-point
With “net-device enable” configured for the phase1, an interface .1
“advpn_xx” is dynamically created along with the “advpn_xx” 192.168.1.0/24
.254
tunnel itself.
Paris
A single OSPF adjacency is established over the dedicated
tunnel interface “advpn_xx”. 10.10.10.1
.1 config router ospf
set router-id 10.10.10.2
The OSPF type for this interface is therefore “point-to-point” advpn set distribute-list-in "PFL_filter_overlay_IPs"
config area
mtu-ignore enable .254
edit 0.0.0.0
next
If the ADVPN Hub and all ADVPN Spokes are configured end
with “net-device enable” for their ADVPN phase1 AreaISP01.0.0.0 config ospf-interface
198.51.100.0/24 edit "advpn"
then this setting is not needed
set interface
OSPF point-to-point "advpn"
If at least one ADVPN Spoke is configured advpn overlay advpn set network-type point-to-point
10.10.10.0/24 mtu-ignore
set cost 100 enable
with “net-device disable” for its ADVPN phase1 10.10.10.3 next
then it is recommended to ignore the MTU 10.10.10.2
end
during OSPF negotiation France02 .2 France03 .3 config network
edit 1
set prefix 10.10.10.0 255.255.255.0
.254 .254 next
192.168.3.0/24 edit 2
192.168.2.0/24
se
.1 .1
t
pr
end ef
ix
19 75
2.
Dual Region (BGP)
Interconnecting two independent Hub & Spoke Regions
Dual Region (BGP)
Overlay An IPsec tunnel between the Hubs is
required to exchange
the ADVPN shortcut messages
.1 .1
192.168.1.0/24 192.168.101.0/24
.254
.254

Paris 10.255.255.1/32 10.255.255.2/32 Madri

d
10.10.10.1/24
.1 10.20.20.1/24
.1
.1 .101

.254 .254

ISP1 ISP2
198.51.100.0/24 203.0.113.0/24

10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24

France0 France03 Spain10 .103 Spain103
.2 .3 2
2
.102

.254 .254 .254 .254

192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1

77
 Dual Region (BGP)
Overlay

.1 .1
192.168.1.0/24 192.168.101.0/24
.254
.254

Paris 10.255.255.1/32 10.255.255.2/32 Madri

d
BGP .1 .1 BGP
.1/24
Each region has a distinct AS 10.10.10
10.20.20.1/24 AS 65100
AS 65000 .1 .101

iBGP is used for intra-region routing .254 .254

ISP1 ISP2
eBGP is used for inter-region routing 198.51.100.0/24 203.0.113.0/24

10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24

France0 France03 Spain10 .103 Spain103
.2 .3 2
2
.102

.254 .254 .254 .254

192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1

78
Dual Region (BGP)
IPsec configuration
 Dual Region (BGP)
Two use cases:

 Shortcuts are established only between Spokes

» Shortcuts are established between Spokes
within the same region and across region

As of FortiOS 6.2.1
 Shortcuts are established between Spokes and with the Hubs
» Shortcuts are established between Spokes within the same region and
across region
» Shortcuts are established between Spokes of one region
towards the Hub of the other region

80
 Dual Region (BGP)
config vpn ipsec phase1-interface config vpn ipsec phase1-interface
edit "toMadrid" edit "toParis"
set interface "wan" set interface "wan"
set proposal aes128-sha1 set proposal aes128-sha1
set auto-discovery-forwarder enable set auto-discovery-forwarder enable
set remote-gw 203.0.113.1 set remote-gw 198.51.100.1
set psksecret xxxxxxxx 192.168.1.0/24
.1 .1
192.168.101.0/24
set psksecret xxxxxxxx
.254
next 10.255.255.1/32 10.255.255.2/32
.254
next
Paris Madrid
end end
10.10.10.1/24
.1 10.20.20.1/24
.1
.1 .101
config vpn ipsec phase2-interface config vpn ipsec phase2-interface
edit "toMadrid" .254 .254 edit "toParis"
set phase1name "toMadrid" ISP1 ISP2 set phase1name "toParis"
set proposal aes128-sha1 198.51.100.0/24 203.0.113.0/24
set proposal aes128-
next sha1
end 10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
next
France02 France Spain102 .103 Spain103
end
.2 03
config system interface .3
.102
config system interface
edit "toMadrid" .254 .254 .254 .254 edit "toParis"
192.168.102.0/24 192.168.103.0/24
set ip 10.255.255.2/32
192.168.2.0/24 192.168.3.0/24
set ip .1 .1
.1 .1
10.255.255.1/ set remote-ip 10.255.255.1/32
32 next
set remote-ip end
10.255.255.2/
32 Shortcuts are established only between Spokes
next
end Shortcuts are established between Spokes
within the same region and across region

81
 Dual Region (BGP) As of FortiOS 6.2.1

config vpn ipsec phase1-interface config vpn ipsec phase1-interface

edit "toMadrid" edit "toParis"
set interface "wan" set interface "wan"
set proposal aes128-sha1 set proposal aes128-sha1
set auto-discovery-forwarder enable set auto-discovery-forwarder enable
set auto-discovery-sender enable set auto-discovery-sender enable
set auto-discovery-receiver enable 192.168.1.0/24
.1

.254
.1
192.168.101.0/24 set auto-discovery-receiver enable
.254

set net-device disable Paris 10.255.255.1/32 10.255.255.2/32 Madrid set net-device disable
set tunnel-search nexthop 10.10.10.1/24
.1 10.20.20.1/24
.1 set tunnel-search nexthop
set add-route disable .1 .101
set add-route disable
set remote-gw 203.0.113.1 .254 .254 set remote-gw 198.51.100.1
set psksecret xxxxxxxx ISP1 ISP2 set psksecret xxxxxxxx
next 198.51.100.0/24 203.0.113.0/24 next
end end
10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
config vpn ipsec phase2-interface France Spain102
config vpn ipsec phase2-interface
France02 .103 Spain103
edit "toMadrid" .2 03
.3
.102 edit "toParis"
set phase1name "toMadrid" .254 .254 .254 .254 set phase1name "toParis"
set proposal aes128-sha1 192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24 set proposal aes128-sha1
next .1 .1 .1 .1
next
end end

config system interface Shortcuts are established between Spokes config system interface
edit "toParis"
edit "toMadrid" and with the Hubs
set ip set ip 10.255.255.2/32
10.255.255.1/ Shortcuts are established between Spokes within the same region and set remote-ip 10.255.255.1/32
32 across region next
set remote-ip end
Shortcuts are established between Spokes of one region
10.255.255.2/ towards the Hub of the other region
32
next 82
end
Dual Region (BGP)
BGP configuration
 Dual Region (BGP)
config router bgp
set as 65000
set router-id 10.10.10.1
config neighbor
edit "10.255.255.2"
set attribute-unchanged next-hop
set ebgp-enforce-multihop 192.168.1.0/24
.1 .1
192.168.101.0/24
enable .254
.254

set remote-as 65100 Paris 10.255.255.1/32 10.255.255.2/32 Madrid

next
end 10.10.10.1/24
.1 eBGP 10.20.20.1/24
.1

end .1 .101
BGP
BGP .254 .254 AS 65100
AS 65000
ISP1 ISP2
attribute-unchanged next-hop 198.51.100.0/24 203.0.113.0/24

keep the BGP Next-Hop attributes unchanged

whenisBGP
This routes to
mandatory exit the AS.
allow routing convergence 10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
over the ADVPN shortcuts. France02 .2 .3
.102
Spain103

.254 .254 .254 .254

ebgp-enforce-multihop 192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

is required to keep the next-hop unchanged .1 .1 .1 .1

84
 Dual Region (BGP)
config router bgp
set as 65100
set router-id 10.20.20.1
config neighbor
edit "10.255.255.1"
set attribute-unchanged next-hop
.1
192.168.1.0/24
.1
192.168.101.0/24
set ebgp-enforce-multihop enable
.254
.254 set remote-as 65000
Paris 10.255.255.1/32 10.255.255.2/32 Madrid next

10.10.10.1/24
eBGP end
.1 10.20.20.1/24
.1 end
BGP .1 .101 BGP
AS 65000 AS 65100
.254 .254

ISP1 ISP2
198.51.100.0/24 203.0.113.0/24

10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24

France02 France03 Spain102 .103 Spain103
.2 .3 .102

.254 .254 .254 .254

192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1

85
Dual Region (BGP)
BGP Next-Hop Reachability
 Dual Region - BGP Next Hop Reachability
France02 # get router info bgp network
France02 # get router info bgp network
BGP table version is 2, local router ID is 10.10.10.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*>i192.168.1.0 10.10.10.1 0 100 0 0 i <-/1>
*> 192.168.2.0 0.0.0.0 100 32768 0 i <-/1>
.1
*>i192.168.3.0 10.10.10.3 0 100 0 0 i <-/1> 192.168.1.0/24
.1

*>i192.168.101.0 10.255.255.2 0 100 0 0 65100 i <-/1> .254 eBGP 192.168.101.0/24

.254
*>i192.168.102.0 10.20.20.2 0 100 0 0 65100 i <-/1> 10.255.255.1/32 10.255.255.2/32
Paris Madrid
*>i192.168.103.0 10.20.20.3 0 100 0 0 65100 i <-/1>

Total number of prefixes 6

10.10.10.1/24
.1 10.20.20.1/24
.1
.1 .101

.254 .254

BGP Next-Hop must be accessible ISP2

iBGP ISP1 iBGP
through the tunnel 198.51.100.0/24
203.0.113.0/24
ASN 65100
ASN 65000
10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
config router static
France02 France03 Spain102 Spain103
edit … .2 .3 .102
.103

set dst 10.20.20. 0 255.255.255.0

set device "advpn" .254 .254 .254 .254
set comment "Spain overlay subnet" 192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

next .1 .1 .1 .1
end

87
 Dual Region - BGP Next Hop Reachability
No shortcut is established between France02 and Spain103

France02 #
config router static
edit …
set dst 10.20.20.0 255.255.255.0
set device "advpn"
.1 .1
set comment "Spain overlay subnet" 192.168.1.0/24
.254 192.168.101.0/24
next 10.255.255.2/32
.254
10.255.255.1/32
end Paris Madrid

10.10.10.1 .1/24 10.20.20.1/24

.1
.1 .101
France02 # get router info routing-table details 10.20.20.3
Routing table for VRF=0
.254
Routing entry for 10.20.20.0/24 .254

Known via "static", distance 10, metric 0, best ISP1 ISP2

* 10.10.10.1, via advpn 198.51.100.0/24 203.0.113.0/24

BGP Next-Hop of Spain103 Spoke (10.20.20.3) is 10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24

accessible via Paris Hub (10.10.10.1) France02 .2 .3

.102
Spain103

.254 .254 .254 .254

192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1

88
 Dual Region - BGP Next Hop Reachability
No shortcut is established between France02 and Spain103

France02 # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
(...)
* - candidate default
.1 .1
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 192.168.1.0/24 192.168.101.0/24
.254
.254
10.10.10.0/24 is directly connected, advpn 10.255.255.1/32 10.255.255.2/32
Paris Madrid
10.10.10.2/32 is directly connected, advpn
C
10.20.20.0/24 [10/0] via 10.10.10.1, advpn 10.10.10.1 .1/24
C 10.20.20.1/24
.1
10.255.255.0/30 [10/0] via 10.10.10.1, advpn .1 .101
S 192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 01:03:34
192.168.2.0/24 is directly connected, internal .254
.254
S 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 01:03:06
B 192.168.101.0/24 [200/0] via 10.255.255.2 (recursive via 10.10.10.1), 01:03:IS0P61 ISP2
192.168.102.0/24 [200/0] via 10.20.20.2 (recursive via 10.10.10.1), 01:021:983.581.100.0/24 203.0.113.0/24
192.168.103.0/24 [200/0] via 10.20.20.3 (recursive via 10.10.10.1), 01:02:38
C
198.51.100.0/24 is directly connected, wan
B
10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
B France02 France03 Spain102 .103 Spain103
.2 .3 .102
B France02↔Spain103 traffic flows through the Hubs
.254 .254 .254 .254
B 192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

C .1 .1 .1 .1

89
 Dual Region - BGP Next Hop Reachability “net-device disable” for shortcuts
This configuration is not supported for SD-WAN
Shortcut is established between France02 and Spain103

France02 # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
(...)
* - candidate default
.1 .1
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 192.168.1.0/24 192.168.101.0/24
.254
.254
10.10.10.0/24 is directly connected, advpn 10.255.255.1/32 10.255.255.2/32
Paris Madrid
10.10.10.2/32 is directly connected,
C
advpn 10.20.20.0/24 [10/0] via Added by IKE
C 10.10.10.1/24
.1 10.20.20.1.1/24
10.10.10.1, advpn
10.20.20.3/32 [15/0] via 10.20.20.3, advpn
.1 .101
10.255.255.0/30 [10/0] via 10.10.10.1, advpn
S
192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 01:44:35
.254 .254
S 192.168.2.0/24 is directly connected, internal
192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 01:44:07 ISP1 ISP2
S 192.168.101.0/24 [200/0] via 10.255.255.2 (recursive via 10.10.10.1), 01:149845. :101. 7000./24 203.0.113.0/24
B 192.168.102.0/24 [200/0] via 10.20.20.2 (recursive via 10.10.10.1), 01:43:39
192.168.103.0/24 [200/0] via 10.20.20.3 (recursive via 10.20.20.3), 00:00:08
C 198.51.100.0/24 is directly connected, wan
10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
B France02 Spain102 Spain103
.2 .103
.3 .102
B
.254 .254 .254 .254
BFrance02↔Spain103 traffic flows through the shortcut 192.168.2.0/24 192.168.3.0/24 192.168.102.0/24 192.168.103.0/24

.1 .1 .1 .1
B
C
90
 Dual Region - BGP Next Hop Reachability “net-device enable” for shortcuts
Shortcut is established between France02 and Spain103

France02 # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
(...)
* - candidate default
.1 .1
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan 192.168.1.0/24 192.168.101.0/24
.254
.254
10.10.10.0/24 is directly connected, advpn 10.255.255.1/32 10.255.255.2/32
Paris Madrid
10.10.10.2/32 is directly connected, advpn
C
is directly connected, advpn_0
C 10.10.10.1/24
.1 10.20.20.1.1/24
S 10.20.20.0/24 [10/0] via 10.10.10.1, advpn Added by IKE
.1 .101
10.20.20.3/32 is directly connected, advpn_0
C 10.255.255.0/30 [10/0] via 10.10.10.1, advpn
.254 .254
192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 00:01:27
S
192.168.2.0/24 is directly connected, internal ISP1 ISP2
B 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 00:01:27 198.51.100.0/24 203.0.113.0/24
192.168.101.0/24 [200/0] via 10.255.255.2 (recursive via 10.10.10.1), 00:01:27
C 192.168.102.0/24 [200/0] via 10.20.20.2 (recursive via 10.10.10.1), 00:01:27
192.168.103.0/24 [200/0] via 10.20.20.3, advpn_0, 00:00:22
B 10.10.10.2/24 10.10.10.3/24 10.20.20.2/24 10.20.20.3/24
198.51.100.0/24 is directly connected, wan
B France02 .2 Spain102 .103 Spain103
.3 .102

B .254 .254 .254 .254

France02↔Spain103 traffic flows through the shortcut 192.168.102.0/24 192.168.103.0/24
B 192.168.2.0/24 192.168.3.0/24

.1 .1 .1 .1
C

91
ADVPN troubleshooting
IPsec & Routing

© Copyright Fortinet Inc. All rights reserved.

Troubleshooting
IPsec
 Troubleshooting – IPsec

France02 # diag ip address list | grep advpn

IP=10.10.10.2->10.10.10.1/255.255.255.0 index=15 devname=advpn
Overlay IP address
overlay local-ip and remote-ip

France02 # get vpn ipsec tunnel summary

Tunnel to Hub 'advpn' 198.51.100.1:0 selectors(total,up): 1/1 rx(pkt,err): 1606/0 tx(pkt,err): 1539/0
'advpn_0' 198.51.100.3:0 selectors(total,up): 1/1 rx(pkt,err): 1136/0 tx(pkt,err): 1051/0
Shortcut tunnel

France02 # diag vpn ike status detailed

vd: root/0 Tunnels
name: advpn
version: 1 summary
used-index: 0
connection: 2/6
IKE SA: created 2/6 established 2/5 times 0/1858/9010 ms
IPsec SA: created 2/7 established 2/6 times 0/13/40 ms

94
 Troubleshooting – IPsec
[root:~]# ping 192.168.3.1 Initial State = no shortcut yet
PING 192.168.3.1 (192.168.3.1): 56 data bytes
64 bytes from 192.168.3.1: icmp_seq=0 ttl=252 time=1.1 ms
64 bytes from 192.168.3.1: icmp_seq=1 time=0.6 TTL
ttl=253
64 bytes from 192.168.3.1: icmp_seq=2 ttl=253 ms
time=0.5 ms change Ping from France02 LAN to France03 LAN
64 bytes from 192.168.3.1: icmp_seq=3 ttl=253 time=0.3 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=253 time=0.4 ms

--- 192.168.3.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.5/1.1 ms

France02 # get vpn ipsec tunnel summary

New 'advpn_0' 198.51.100.3:0 selectors(total,up): 1/1 rx(pkt,err): 6/0 tx(pkt,err): 6/0 Shortcut to France03
'advpn' 198.51.100.1:0 selectors(total,up): 1/1 rx(pkt,err): 125/0 tx(pkt,err): 113/0

[root:~]# ping 192.168.102.1

PING 192.168.102.1 (192.168.102.1): 56 data bytes
64 bytes from 192.168.102.1: icmp_seq=0 ttl=251 time=1.8 ms
64 bytes from 192.168.102.1: icmp_seq=1 ttl=253 time=0.7 ms
TTL
64 bytes from 192.168.102.1: icmp_seq=2 ttl=253 time=0.7 ms change Ping from France02 LAN to Spain102 LAN
64 bytes from 192.168.102.1: icmp_seq=3 ttl=253 time=0.8 ms
64 bytes from 192.168.102.1: icmp_seq=4 ttl=253 time=0.7 ms

--- 192.168.102.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.9/1.8 ms

France02 # get vpn ipsec tunnel summary

'advpn_0' 198.51.100.3:0 selectors(total,up): 1/1 rx(pkt,err): 7/0 tx(pkt,err): 7/0
New 'advpn_1' 203.0.113.102:0 selectors(total,up): 1/1 rx(pkt,err): 5/0 tx(pkt,err): 5/0 Shortcut to Spain102
'advpn' 198.51.100.1:0 selectors(total,up): 1/1 rx(pkt,err): 134/0 tx(pkt,err):
121/0
95
 Troubleshooting – IPsec
Bringing down a shortcut

France02 # get vpn ipsec tunnel summary

'advpn' 198.51.100.1:0 selectors(total,up): 1/1 rx(pkt,err): 1606/0 tx(pkt,err): 1539/0
'advpn_0' 198.51.100.3:0 selectors(total,up): 1/1 rx(pkt,err): 1136/0 tx(pkt,err): 1051/0

France02 # diag vpn ike gateway flush name advpn_0 Shortcuts cannot be
France02 # get vpn ipsec tunnel summary
flushed via the GUI
'advpn' 198.51.100.1:0 selectors(total,up): 1/1 rx(pkt,err): 1606/0 tx(pkt,err): 1539/0

96
Troubleshooting – IPsec
France02 # diag vpn ike gateway list
List of all IKE SA (“phase1 up”)
vd: root/0
name: advpn
version: 1
interface:
port2 4
addr:
198.51.100.
2:500 ->
198.51.100.
1:500 Tunnel towards the Hub
virtual- (10.10.10.1)
interface-
addr:
10.10.10.2
->
10.10.10.1
created:
71630s ago
auto-
discovery:
2 receiver
IKE SA: created 1/1 established 1/1 time 9010/9010/9010 ms
IPsec SA: created 1/2 established 1/2 time 0/10/20 ms

id/spi: 1 bdd67d1022a0408e/4fba5ba5ee388f62
direction: initiator
status: established 71630-71621s ago = 9010ms
proposal: aes128-sha1 97
key: da232c99ba37b1a7-d9d1b33065f6594f
Troubleshooting – IPsec
France02 # diag vpn ike gateway list
List of all IKE SA (“phase1 up”)
(... Continuation from previous slide ...)

vd: root/0
name: advpn_0
version: 1
interface:
port2 4
addr:
198.51.100.2:
500 ->
198.51.100.3:
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
500
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms Shortcut tunnel towards France03
virtual-
interface-
(10.10.10.3)
id/spi: 5 6ad21160f21d3a42/f1e5376a7a798d78
addr:
direction: initiator
10.10.10.2 ->
status: established 2535-2535s ago = 10ms
10.10.10.3
proposal: aes128-sha1
created:
key: db059962e3c581e5-da2462527694dcde
2535s ago
lifetime/rekey: 86400/83564
auto-
DPD sent/recv: 00000000/00000000
discovery: 2
receiver

98
Troubleshooting – IPsec
France02 # diag vpn tunnel list
list all ipsec tunnel in vd 0
List of all IPsec SA (“phase2/tunnel up”)

name=advpn ver=1 serial=1 198.51.100.2:0->198.51.100.1:0 dst_mtu=1500

bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/544 options[0220]=search-nexthop frag-rfc run_state=0 accept_traffic=1

proxyid_num=1 child_num=1 refcnt=18 ilast=2 olast=2 ad=r/2

stat: rxp=198 txp=226 rxb=25744 txb=15412
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=advpn proto=0 sa=1 ref=2 serial=1 adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=42212/0B replaywin=2048 Tunnel towards the Hub
seqno=d5 esn=0 replaywin_lastseq=000000b9 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42903/43200
(198.51.100.1)
dec: spi=9373017c esp=aes key=16 2041c61a6ca346ee46829edffbd5f4c9
ah=sha1 key=20 895da8e9f1d63e4aea5df5db78fdb62eb93b9473
enc: spi=9b5f61d6 esp=aes key=16 3ac31ca155083a66dfecd4d9abac2df6
ah=sha1 key=20 aca591a29dae6d104f87a81a9effa8b9e593b55f
dec:pkts/bytes=184/11347, enc:pkts/bytes=212/28416
run_tally=2
ipv4 route tree:
10.10.10.3 0
198.51.100.3
0

(...
Continuation
in next
slide ...)
99
Troubleshooting – IPsec
France02 # diag vpn tunnel list List of all IPsec SA (“phase2/tunnel up”)
(... Continuation from previous slide ...)

name=advpn_0 ver=1 serial=4 198.51.100.2:0->198.51.100.3:0 dst_mtu=1500

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/672 options[02a0]=search-nexthop rgwy-chg frag-rfc run_state=1
accept_traffic=1

parent=advpn index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=10 olast=531 ad=r/2
stat: rxp=14 txp=14 rxb=2128 txb=1176
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=advpn proto=0 sa=1 ref=2 serial=1 adr
Shortcut tunnel towards France03
src: 0:0.0.0.0/0.0.0.0:0 (198.51.100.3)
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=42366/0B replaywin=2048
seqno=f esn=0 replaywin_lastseq=0000000f itn=0 qat=0
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=9373017d esp=aes key=16 8aa4b75b3c8e1ad94ba4878b1548cb5c
ah=sha1 key=20 449af1d85bb99cd953633949488f70aa652a172d
enc: spi=21a001a1 esp=aes key=16 6179d7db568e80f19763bd6d5ec57604
ah=sha1 key=20 8ed691ed67476a350d81b182eeb27c1a95e98ba6
dec:pkts/bytes=14/1176, enc:pkts/bytes=14/2128

100
Troubleshooting – IPsec
As of 6.0, multiple IP addresses can be specified to filter the IKE debug (mdst-addr4)
It simplifies the debugging of Spoke-to-Spoke shortcut negotiations:
# From Spoke-A, check the shortcut negotiation with Spoke-B (which initially passes through the Hub)
diag debug console timestamp enable
diag vpn ike log filter clear
diag vpn ike log filter mdst-addr4 <ip.of.Hub> <ip.of.Spoke-B> IKE debug
diag debug application ike -1
diag debug enable

Up to 5.6, a single IP address can be specified to filter the IKE debug (dst-addr4)
Spoke-to-Spoke shortcut negotiations must therefore be investigated in two phases:
- 1st phase: investigate the Spoke-to-Hub negotiation which takes place at the beginning of the shortcut setup
- 2nd phase: investigate the Spoke-to-Spoke negotiation during another failing shortcut setup
diag debug console timestamp enable
diag vpn ike log filter clear
diag vpn ike log filter dst-addr4 IKE debug
<ip.of.Hub or ip.of.Spoke-B>
diag debug application ike -1
diag debug enable

101
Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
France02 Paris France03
198.51.100.2 198.51.100.3
198.51.100.1

Encrypt
advpn_0 advpn_1 IPsec flow
Forward (data plane)
SHORTCUT
Decrypt
OFFER
SHORTCUT IKE flow
QUERY Forward (control plane)

SHORTCUT
Forward REPLY

SHORTCUT NEGOTIATION

Encrypt
Decrypt
102
 Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
France02 Paris France03
198.51.100.2 198.51.100.3
198.51.100.1

Encrypt
advpn_0 advpn_1 IPsec flow
Forward (data plane)
Decrypt
SHORTCUT IKE flow
OFFER (control plane)

# IKE process is notified by IPsec kernel that data traffic from 192.168.2.1 to 192.168.3.1 was forwarded from advpn_0 to advpn_1
ike 0: shortcut advpn_0:198.51.100.2:0 to advpn_1:198.51.100.3:0 for 192.168.2.1->192.168.3.1

# IKE process sends a shortcut-offer to France02 (advpn_0)

ike 0:advpn_0:1: sent IKE msg (SHORTCUT-OFFER): 198.51.100.1:500->198.51.100.2:500, len=188, id=67a5828ff8216c8d/37b349b57406cb19:e8f7caf4

103
 Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
France02 France03
Paris
198.51.100.2 198.51.100.3
198.51.100.1
advpn_0 advpn_1
SHORTCUT
OFFER IKE flow
SHORTCUT (control plane)
QUERY

# IKE receives a shortcut-offer, accepts it and replies with a shortcut-query

ike 0: comes 198.51.100.1:500->198.51.100.2:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=67a5828ff8216c8d/37b349b57406cb19:e8f7caf4 len=188 ike
0:advpn:12: notify msg received: SHORTCUT-OFFER
ike 0:advpn: shortcut-offer 192.168.2.1->192.168.3.1 psk 64 ppk 0 ver 1 mode 0

ike 0 looking up shortcut by addr 192.168.3.1, name advpn

ike 0:advpn: send shortcut-query 3402812622499100305 cd1adf65f3afde0d/0000000000000000 198.51.100.2

192.168.2.1->192.168.3.1 psk 64 ttl 32 nat 0 ver 1 mode 0
ike 0:advpn:12: sent IKE msg (SHORTCUT-QUERY): 198.51.100.2:500->198.51.100.1:500, len=220,
id=67a5828ff8216c8d/37b349b57406cb19:6d47b15b
104
 Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
Paris France03
France02
198.51.100.3
198.51.100.2 198.51.100.1
advpn_0 advpn_1
SHORTCUT
QUERY
Forward IKE flow
(control plane)

# IKE receives a shortcut-query related to data traffic (192.168.2.1→192.168.3.1)

# A routing lookup is done for 192.168.3.1 in order to find the tunnel into which the shortcut-query must be forwarded
# shortcut-query is forwarded to advpn_1 (France03)

ike 0: comes 198.51.100.2:500->198.51.100.1:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=67a5828ff8216c8d/37b349b57406cb19:6d47b15b len=220 ike
0:advpn_0:1: notify msg received: SHORTCUT-QUERY
ike 0:advpn_0: recv shortcut-query 3402812622499100305 cd1adf65f3afde0d/0000000000000000 198.51.100.2
192.168.2.1->192.168.3.1 psk 64 ppk 0 ttl 32 nat 0 ver 1 mode 0

ike 0:advpn: iif 15 192.168.2.1->192.168.3.1 route lookup oif 15

ike 0:advpn_1: forward shortcut-query 3402812622499100305 cd1adf65f3afde0d/0000000000000000 198.51.100.2

192.168.2.1->192.168.3.1 psk 64 ppk 0 ttl 31 ver 1 mode 0
ike 0:advpn_1:2: sent IKE msg (SHORTCUT-QUERY): 198.51.100.1:500->198.51.100.3:500, len=220, 105
id=dca96501f2b0dec0/14d8345a3ddf87e5:391b1f83
 Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
France03
France02 Paris
198.51.100.3
198.51.100.2 198.51.100.1
advpn_0 advpn_1
SHORTCUT
Forward
QUERY
IKE flow
SHORTCUT (control plane)
REPLY

# IKE receives a shortcut-query, accepts it and replies with a shortcut-reply

ike 0: comes 198.51.100.1:500->198.51.100.3:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=dca96501f2b0dec0/14d8345a3ddf87e5:391b1f83 len=220 ike
0:advpn:13: notify msg received: SHORTCUT-QUERY
ike 0:advpn: recv shortcut-query 3402812622499100305 cd1adf65f3afde0d/0000000000000000 198.51.100.2 192.168.2.1-
>192.168.3.1 psk 64 ppk 0 ttl 31 nat 0 ver 1 mode 0

ike 0:advpn: iif 15 192.168.2.1->192.168.3.1 route lookup oif 3

ike 0:advpn: send shortcut-reply 3402812622499100305 cd1adf65f3afde0d/d525765a5a0840ba 198.51.100.3 to

192.168.2.1 psk 64 ppk 0 ver 1 mode 0
ike 0:advpn:13: sent IKE msg (SHORTCUT-REPLY): 198.51.100.3:500->198.51.100.1:500, len=220,
id=dca96501f2b0dec0/14d8345a3ddf87e5:12037459 106
 Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
Paris France03
France02
198.51.100.3
198.51.100.2 198.51.100.1
advpn_0 advpn_1
SHORTCUT IKE flow
Forward REPLY (control plane)

# IKE receives a shortcut-reply related to data traffic (192.168.3.1→192.168.2.1)

# A routing lookup is done for 192.168.2.1 in order to find the tunnel into which the shortcut-reply must be
forwarded # shortcut-reply is forwarded to advpn_0 (France02)

ike 0: comes 198.51.100.3:500->198.51.100.1:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=dca96501f2b0dec0/14d8345a3ddf87e5:12037459 len=220 ike
0:advpn_1:2: notify msg received: SHORTCUT-REPLY
ike 0:advpn_1: recv shortcut-reply 3402812622499100305 cd1adf65f3afde0d/d525765a5a0840ba 198.51.100.3 to
192.168.2.1 psk 64 ppk 0 ver 1 mode 0

ike 0:advpn: iif 15 192.168.3.1->192.168.2.1 route lookup oif 15

ike 0:advpn_0: forward shortcut-reply 3402812622499100305 cd1adf65f3afde0d/d525765a5a0840ba 198.51.100.3 to 192.168.2.1 psk 64 ppk 0 ttl 31 ver 1 mode 0 ike
0:advpn_0:1: sent IKE msg (SHORTCUT-REPLY): 198.51.100.1:500->198.51.100.2:500, len=220, id=67a5828ff8216c8d/37b349b57406cb19:ead55273
107
 Troubleshooting – IKE debugs for shortcut negotiation
192.168.2.1
192.168.3.1
France02 France03
Paris
198.51.100.2 198.51.100.3
198.51.100.1
advpn_0 SHORTCUT
advpn_1
REPLY
Forward IKE flow
advpn
(control plane)
SHORTCUT NEGOTIATION
advpn_0

# IKE receives a shortcut-reply and initiates a tunnel (shortcut) negotiation with 198.51.100.3 (France03)

ike 0: comes 198.51.100.1:500->198.51.100.2:500,ifindex=4....

ike 0: IKEv1 exchange=Informational id=67a5828ff8216c8d/37b349b57406cb19:ead55273 len=220 ike
0:advpn:12: notify msg received: SHORTCUT-REPLY
ike 0:advpn: recv shortcut-reply 3402812622499100305 cd1adf65f3afde0d/d525765a5a0840ba 198.51.100.3 to
192.168.2.1 psk 64 ppk 0 ver 1 mode 0
ike 0:advpn: iif 15 192.168.3.1->192.168.2.1 route lookup oif 3
ike 0:advpn: created connection: 0xd29ba30 4 198.51.100.2->198.51.100.3:500. ike
0:advpn: adding new dynamic tunnel for 198.51.100.3:500
ike 0:advpn_0: added new dynamic tunnel for 198.51.100.3:500 ike
0:advpn_0:13: initiator: main mode is sending 1st message... ike
0:advpn_0:13: cookie cd1adf65f3afde0d/d525765a5a0840ba
ike 0:advpn_0:13: sent IKE msg (ident_i1send): 198.51.100.2:500- 108
>198.51.100.3:500, len=372, id=cd1adf65f3afde0d/d525765a5a0840ba
Troubleshooting
Routing
Troubleshooting – BGP Routing
France02 # get router info bgp summary
BGP router identifier 10.10.10.2, local AS number 65000
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries
BGP peers
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
10.10.10.1 4 65000 10009 10007 State/PfxRcd 1 0 0
04:02:20 5
Total number of neighbors 1

France02 # get router info bgp network

BGP table version is 2, local router ID is 10.10.10.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path BGP table
*>i192.168.1.0 10.10.10.1 0 100 0 0 i <-/1>
*> 192.168.2.0 0.0.0.0 100 32768 0 i <-/1>
*>i192.168.3.0 10.10.10.3 0 100 0 0 i <-/1>
*>i192.168.101.0 10.255.255.2 0 100 0 0 65100 i <-/1>
*>i192.168.102.0 10.20.20.2 0 100 0 0 65100 i <-/1>
*>i192.168.103.0 10.20.20.3 0 100 0 0 65100 i <-/1>

Total number of prefixes 6

110
Troubleshooting – BGP Routing
France02 # get router info bgp network 192.168.102.0
BGP routing table entry for 192.168.102.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
65100 BGP details of a specific prefix
10.20.20.2 from 10.10.10.1 (10.10.10.1)
Origin IGP metric 0, localpref 100, valid, internal, best
Last update: Wed Aug 28 10:59:58 2019

France02 # get router info routing-table bgp

Routing table for VRF=0
B 192.168.1.0/24 [200/0] via 10.10.10.1, advpn,
04:05:36 B 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, BGP routes in the RIB
04:04:45
B 192.168.101.0/24 [200/0] via 10.255.255.2 (recursive
via 10.10.10.1), 04:05:36
B 192.168.102.0/24 [200/0] via 10.20.20.2 (recursive
via 10.10.10.1), 04:03:56
B
France02 #192.168.103.0/24
get router info[200/0] via 10.20.20.3
routing-table (recursive
static
via 10.10.10.1), 04:03:56
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan Static routes in the RIB
S 10.20.20.0/24 [10/0] via 10.10.10.1, advpn
S 10.255.255.0/30 [10/0] via 10.10.10.1, advpn

France02 # get router info routing-table connected

Routing table for VRF=0
C 10.10.10.0/24 is directly connected,
advpn C 10.10.10.2/32 is directly connected,
Connected routes in the RIB
advpn
C 192.168.2.0/24 is directly connected,
internal
C 198.51.100.0/24 is directly connected, 111
wan
Troubleshooting – BGP Routing
France02 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan
C 10.10.10.0/24 is directly connected, advpn
C 10.10.10.2/32 is directly connected,
S advpn 10.20.20.0/24 [10/0] via All active routes in the RIB
S 10.10.10.1, advpn
B 10.255.255.0/30 [10/0] via 10.10.10.1,
C advpn
B 192.168.1.0/24 [200/0] via 10.10.10.1,
B advpn, 04:10:56
B 192.168.2.0/24 is directly connected, internal
B 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 04:10:05
C 192.168.101.0/24 [200/0] via 10.255.255.2 (recursive
via 10.10.10.1), 04:10:56
192.168.102.0/24 [200/0] via 10.20.20.2 (recursive via
France02 10.10.10.1),
# get router 04:09:16
info routing-table details 192.168.102.1
Routing table for VRF=0 [200/0] via 10.20.20.3 (recursive via
192.168.103.0/24
Routing entry for 192.168.102.0/24
10.10.10.1), 04:09:16
Details of a specific route
Known via "bgp", distance
198.51.100.0/24 200, metric
is directly 0, bestwan
connected, in the RIB
Last update 04:10:52 ago
* 10.20.20.2 (recursive via 10.10.10.1)

112
Troubleshooting – BGP Routing
[root:~]# ping 192.168.3.1
[root:~]# ping 192.168.102.1
[root:~]# ping 192.168.103.1 Bring up shortcuts to France03, Spain102 & Spain103
France02 (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 -
OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default

S* 0.0.0.0/0 [10/0] via 198.51.100.254, wan

C 10.10.10.0/24 is directly connected, advpn
10.10.10.2/32 is directly connected,
S
C 10.20.20.0/24
advpn [10/0] via 10.10.10.1, advpn

S 10.20.20.2/32 [15/0] via 10.20.20.2, advpn

S 10.20.20.3/32 [15/0] via 10.20.20.3, advpn BGP next-hop of shortcuts established with Spain region
(automatically added by IKE)
S 10.255.255.0/30 [10/0] via 10.10.10.1, advpn

B 192.168.1.0/24 [200/0] via 10.10.10.1, advpn, 00:01:17

192.168.2.0/24 is directly connected, port1
C 192.168.3.0/24 [200/0] via 10.10.10.3, advpn, 00:01:00
192.168.101.0/24 [200/0] via 10.255.255.2 (recursive via 10.10.10.1), 00:01:17
B 192.168.102.0/24 [200/0] via 10.20.20.2 (recursive via 10.20.20.2), 00:01:17
Routes via the shortcuts
192.168.103.0/24 [200/0] via 10.20.20.3 (recursive via 10.20.20.3), 00:01:17
B
C 198.51.100.0/24 is directly connected, internal
B 113
Troubleshooting – BGP Routing
France02 # diag sniffer packet any 'tcp port 179' 6 0 l
Capture BGP traffic

diag debug reset

diag debug console timestamp enable
diag ip router bgp all enable Start BGP debugs
diag ip router bgp level info
diag debug enable

diag ip router bgp all disable

diag debug disable Stop BGP debugs

exec router clear bgp ip <peer-ip> Reset BGP peering

exec router clear bgp ip <peer-ip> soft

exec router clear bgp ip <peer-ip> soft in Route Refresh
exec router clear bgp ip <peer-ip> soft out

114
Troubleshooting – OSPF Routing
France02 # get router info ospf neighbor

OSPF process 0, VRF 0:

Neighbor ID Pri State Dead Time Address Interface

10.10.10.1 1 Full/ - 00:00:31 10.10.10.1 advpn

OSPF neighbors
Hub
10.10.10.3 1 Full/ - 00:00:34 10.10.10.3 advpn
10.10.10.4 1 Full/ - 00:00:35 10.10.10.4 shortcuts
advpn

Point-to-multipoint
France02 # get router info ospf database brief

OSPF Router with ID (10.10.10.2) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count OSPF LSDB summary
10.10.10.1 10.10.10.1 794 80000048 7083 0002 6
10.10.10.2 10.10.10.2 21 80000034 d256 0021 5
10.10.10.3 10.10.10.3 443 80000022 7aba 0002 5
10.10.10.4 10.10.10.4 22 8000000f 182a 0002 5
10.10.10.5 10.10.10.5 970 8000000d 9613 0002 3

115
Troubleshooting – OSPF Routing
France02 # get router info ospf status
Routing Process "ospf 0" with ID 10.10.10.2
Process uptime is 1 hour 3 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000 OSPF status
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 1
Number of LSA received 85
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is
2(2)
Number of fully adjacent neighbors in
this area is 3
Area has no authentication
SPF algorithm last executed 00:12:39.320 ago
SPF algorithm executed 45 times
Number of LSA 5. Checksum 0x026bd0

116
Troubleshooting – OSPF Routing
France02 # get router info ospf interface advpn
advpn is up, line protocol is up
Internet Address 10.10.10.2/24, Area 0.0.0.0, MTU 1438
Process ID 0, VRF 0, Router ID 10.10.10.2, Network Type POINTOMULTIPOINT, Cost: 100
Transmit Delay is 1 sec, State Point-To-Point
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05 OSPF interface details
Neighbor Count is 3, Adjacent neighbor count is 3
Crypt Sequence Number is 9
Hello received 559 sent 362, DD received 112 sent 139
LS-Req received 24 sent 25, LS-Upd received 159 sent 72
LS-Ack received 10 sent 81, Discarded 162

France02 # get router info ospf neighbor 10.10.10.1

OSPF process 0, VRF 0:
Neighbor 10.10.10.1, interface address 10.10.10.1
In the area 0.0.0.0 via interface advpn
Neighbor priority is 1, State is Full, 5 state changes
DR is 0.0.0.0, BDR is 0.0.0.0
Options is 0x42 (*|O|-|-|-|-|E|-)
Dead timer due in 00:00:37
Neighbor is up for 00:45:08 Neighbor details
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Crypt Sequence Number is 0
Thread Inactivity Timer on
Thread Database Description Retransmission off
Thread Link State Request Retransmission off
Thread Link State Update Retransmission off

117
Troubleshooting – OSPF Routing
France02 # get router info ospf route

OSPF process 0:
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2

C 10.10.10.0/24 [100] is directly connected, advpn, Area 0.0.0.0

O
O
10.10.10.1/32 [100] via 10.10.10.1, advpn, Area 0.0.0.0
10.10.10.3/32 [100] via 10.10.10.3, advpn, Area 0.0.0.0
Routes announced &
O 10.10.10.4/32 [100] via 10.10.10.4, advpn, Area 0.0.0.0 received via OSPF
O 10.10.10.5/32 [101] via 10.10.10.1, advpn, Area 0.0.0.0
O 192.168.1.0/24 [101] via 10.10.10.1, advpn, Area 0.0.0.0
C 192.168.2.0/24 [1] is directly connected, port1, Area 0.0.0.0
O 192.168.3.0/24 [101] via 10.10.10.3, advpn, Area 0.0.0.0
O 192.168.4.0/24 [101] via 10.10.10.4, advpn, Area 0.0.0.0
O 192.168.5.0/24 [102] via 10.10.10.1, advpn, Area 0.0.0.0

France02 # get router info routing-table ospf

Routing table for VRF=0

O 192.168.1.0/24 [110/101] via 10.10.10.1, advpn, 00:33:09
O 192.168.3.0/24 [110/101] via 10.10.10.3, advpn, 00:33:19
OSPF routes in the RIB
O 192.168.4.0/24 [110/101] via 10.10.10.4, advpn, 00:20:20
O 192.168.5.0/24 [110/102] via 10.10.10.1, advpn, 00:33:09

118
Troubleshooting – OSPF Routing
France02 # diag sniffer packet any 'ip proto 89' 6 0 l
Capture OSPF traffic

diag debug reset

diag debug console timestamp enable
diag ip router ospf all enable Start OSPF debugs
diag ip router ospf level info
diag debug enable

diag ip router ospf all disable

diag debug disable Stop OSPF debugs

exec router clear ospf process Restart OSPF

119
ADVPN Dual Region (BGP)
Configuration

© Copyright Fortinet Inc. All rights reserved.

Hub “Paris” [1/3]
Tunnels:
config vpn ipsec phase1-interface config vpn ipsec phase2-interface
edit "advpn" edit "advpn"
set type dynamic set phase1name "advpn"
set interface "port2" set proposal aes128-sha1
set proposal aes128-sha1 next
set auto-discovery-sender enable edit "toMadrid"
set add-route disable set phase1name "toMadrid"
set psksecret xxxxxxxx set proposal aes128-sha1
next
set net-device disable end
set tunnel-search nexthop As of FortiOS 6.0 and 5.6.3
next

edit "toMadrid"
set interface "port2"
set proposal aes128-sha1
set auto-discovery-
forwarder enable
set remote-gw 203.0.113.101
set psksecret fortinet
next
end

121
Hub “Paris” [2/3]
Policies:
Interfaces: config firewall policy
edit 1
config system interface set name "To Spokes"
edit "port1" set srcintf "port1"
set ip set dstintf "advpn"
192.168.1.254 set srcaddr "all"
255.255.255.0 set dstaddr "all"
set allowaccess ping https ssh set action accept
set alias "LAN" set schedule "always"
next set service "ALL"
edit "port2" next
set ip 198.51.100.1 255.255.255.0 edit 2
set allowaccess ping https ssh set name "From Spokes"
set alias "INTERNET" For FortiOS 5.4 set srcintf "advpn"
next
edit "toMadrid" and 5.6.0/5.6.1/5.6.2 set dstintf "port1"
set srcaddr "all"
set ip 10.255.255.1 set dstaddr "all"
255.255.255.255 set action accept
set remote-ip 10.255.255.2 set schedule "always"
set remote-ip 10.255.255.2 set service "ALL"
edit255.255.255.255
"advpn"
set allowaccess ping 255.255.255.255
set ip 10.10.10.1
As of FortiOS 6.0 and 5.6.3 next edit
3
next set name "Spokes to Spokes"
set remote-ip 10.10.10.254 set srcintf "advpn"
set remote-ip 10.10.10.254 255.255.255.0 set dstintf "advpn"
set srcaddr "all"
set allowaccess ping set dstaddr "all"
next set action accept
end set schedule "always"
set service "ALL"
next

122
 Hub “Paris” [3/3]
Policies: Routes: BGP:
(cont.) config router bgp
config router static
edit 4 set as 65000
edit 1
set name "To Madrid" set router-id 10.10.10.1
set gateway 198.51.100.254
set srcintf "port1" "advpn" config neighbor
set device "port2"
set dstintf "toMadrid" edit "10.255.255.2"
next edit
set srcaddr "all" set attribute-unchanged next-hop
2
set dstaddr "all" set ebgp-enforce-multihop enable
set
set action set remote-as 65100
ds
accept next
t
set schedule "always" end
10
next set service "ALL" config neighbor-group
.2
edit 5 edit
0.
set name "From Madrid" "advn_peers"
20
set srcintf set remote-as
.0
"toMadrid" 65000
25
set dstintf "advpn" "port1" set route-
5.
set srcaddr "all" reflector-
25
set dstaddr "all" client enable
5.
set action next
25
accept end
5.
set schedule config neighbor-range
0
end "always" edit 1
set device "toMadrid"
set service "ALL" set prefix
next
next 10.10.10.0
end
255.255.255.0
set neighbor-
group
"advn_peers"
next
end
config network 123
edit 1
Hub “Madrid” [1/3]
Tunnels:
config vpn ipsec phase1-interface config vpn ipsec phase2-interface
edit "advpn" edit "advpn"
set type dynamic set phase1name "advpn" set
set interface "port2" set proposal aes128-sha1
proposal aes128-sha1 next
set auto-discovery-sender enable edit "toParis"
set add-route disable set phase1name "toParis"
set psksecret xxxxxxxx set proposal aes128-sha1
next
set net-device disable end
set tunnel-search nexthop As of FortiOS 6.0 and 5.6.3
next

edit "toParis"
set interface "port2"
set proposal aes128-sha1
set auto-discovery-forwarder enable
set remote-gw 198.51.100.1
set psksecret xxxxxxxx
next
end

124
Hub “Madrid” [2/3]
Policies:
Interfaces: config firewall policy
edit 1
config system interface set name "To Spokes"
edit "port1" set srcintf "port1"
set ip set dstintf "advpn"
192.168.101.254 set srcaddr "all"
255.255.255.0 set dstaddr "all"
set allowaccess ping https ssh set action accept
set alias "LAN" set schedule
next "always"
edit "port2" set service "ALL"
set ip 203.0.113.101 255.255.255.0 next
set allowaccess ping https ssh edit 2
set alias "INTERNET" For FortiOS 5.4 set name "From Spokes"
next
edit "toParis" and 5.6.0/5.6.1/5.6.2 set srcintf "advpn"
set dstintf "port1"
set ip 10.255.255.2 set srcaddr "all"
255.255.255.255 set dstaddr "all"
set allowaccess ping set action accept
set remote-ip 10.255.255.1 set schedule "always"
set remote-ip
edit "advpn" 10.255.255.1
255.255.255.255
set ip 10.20.20.1 255.255.255.255
As of FortiOS 6.0 and 5.6.3 set service "ALL"
next
next edit 3
set remote-ip 10.20.20.254 set name "Spokes to Spokes"
set remote-ip 10.20.20.254 255.255.255.0 set srcintf "advpn"
set dstintf "advpn"
set allowaccess ping set srcaddr "all"
next set dstaddr "all"
end set action accept
set schedule "always"
set service "ALL"
next
125
 Hub “Madrid” [3/3]
BGP:
Policies: Routes:
(cont.) config router bgp
config router static
edit set as 65100
edit 1
4 set name "To Paris" set router-id 10.20.20.1
set gateway 203.0.113.254
set srcintf "port1" "advpn" config neighbor
set device "port2"
set dstintf "toParis" edit "10.255.255.1"
next edit
set srcaddr "all" set attribute-unchanged next-hop
2
set dstaddr "all" set ebgp-enforce-multihop enable
set
set action set remote-as 65000
ds
accept next
t
set schedule "always" end
10
next set service "ALL" config neighbor-group
.1
edit 5 edit
0.
set name "From Paris" "advn_peers"
10
set srcintf set remote-as
.0
"toParis" 65100
25
set dstintf "advpn" "port1" set route-
5.
set srcaddr "all" reflector-
25
set dstaddr "all" client enable
5.
set action next
25
accept end
5.
set schedule config neighbor-range
0
end "always" edit 1
set device "toParis"
set service "ALL" set prefix
next
next 10.20.20.0
end
255.255.255.0
set neighbor-
group
"advn_peers"
next
end
config network 126
edit 1
Spoke “France02” [1/3]
Tunnel: Interfaces:

config system interface

config vpn ipsec phase1-interface
edit "port1"
edit "advpn"
set ip 192.168.2.254 255.255.255.0
set interface "port2" set
set allowaccess ping https ssh
proposal aes128-sha1
set alias "LAN"
set auto-discovery-receiver enable
next
set add-route disable
edit "port2"
set net-device disable
set ip 198.51.100.2
set tunnel-search nexthop set
255.255.255.0
remote-gw 198.51.100.1
set allowaccess ping https ssh
set psksecret xxxxxxxx
set alias "INTERNET"
next
next
end
edit "advpn"
config vpn ipsec phase2-interface
set ip 10.10.10.2
edit "advpn"
255.255.255.255
set phase1name "advpn"
set remote-ip 10.10.10.1 255.255.255.0
set proposal aes128-sha1 end set allowaccess ping
next
next
end
As of FortiOS 6.2.1

127
Spoke “France02” [2/3]
Overlay routes:
config router static
edit 1
set gateway 198.51.100.254
set device "port2"
next

edit 2
set dst 10.10.10.0 Only required
255.255.255.0 for FortiOS 5.4
set device "advpn"
set comment "France overlay subnet" and 5.6.0/5.6.1/5.6.2
next

edit 3
set dst 10.20.20.0
255.255.255.0
set device "advpn"
set comment "Spain overlay subnet"
next
edit 4
set dst 10.255.255.0
255.255.255.252
set device "advpn"
set comment "Paris-Madrid
overlay subnet"
next
end

128
Spoke “France02” [3/3]

BGP: Policies:
config router bgp config firewall policy
set as 65000 edit 1
set router-id 10.10.10.2 set name "to ADVPN"
config neighbor set srcintf
edit "10.10.10.1" "port1" set
set remote-as 65000 dstintf "advpn"
next set srcaddr "all"
end set dstaddr "all"
config network set action accept
edit 1 set schedule
set prefix "always"
192.16 set service "ALL"
8.2.0 next
255.25 edit 2
5.255. set name "from
0 ADVPN" set srcintf
next "advpn" set dstintf
end "port1" set srcaddr
end "all"
set dstaddr "all"
set action accept
set schedule
"always" set service
"ALL"
next
end

129
Spoke “Spain102” [1/3]
Tunnel: Interfaces:

config system interface

config vpn ipsec phase1-interface
edit "port1"
edit "advpn"
set ip 192.168.102.254 255.255.255.0
set interface "port2" set
set allowaccess ping https ssh
proposal aes128-sha1
set alias "LAN"
set auto-discovery-receiver enable
next
set add-route disable
edit "port2"
set net-device disable
set ip 203.0.113.102
set tunnel-search nexthop set
255.255.255.0
remote-gw 203.0.113.101
set allowaccess ping https ssh
set psksecret xxxxxxxx
set alias "INTERNET"
next
next
end
edit "advpn"
config vpn ipsec phase2-interface
set ip 10.20.20.2
edit "advpn"
255.255.255.255
set phase1name "advpn"
set remote-ip 10.20.20.1 255.255.255.0
set proposal aes128-sha1 end set allowaccess ping
next
next
end
As of FortiOS 6.2.1

130
Spoke “Spain102” [2/3]
Overlay routes:
config router static
edit 1
set gateway 203.0.113.254
set device "port2"
next

edit 2
set dst 10.20.20.0 Only required
255.255.255.0 for FortiOS 5.4
set device "Madrid"
set comment "Spain overlay subnet" and 5.6.0/5.6.1/5.6.2
next

edit 3
set dst 10.10.10.0
255.255.255.0
set device "Madrid"
set comment "France overlay subnet"
next
edit 4
set dst 10.255.255.0
255.255.255.252
set device "Madrid"
set comment "Paris-Madrid
overlay subnet"
next
end

131
Spoke “Spain102” [3/3]

BGP: Policies:
config router bgp config firewall policy
set as 65100 edit 1
set router-id 10.20.20.2 set name "to ADVPN"
config neighbor set srcintf
edit "10.20.20.1" "port1" set
set remote-as 65100 dstintf "advpn"
next set srcaddr "all"
end set dstaddr "all"
config network set action accept
edit 1 set schedule
set prefix "always"
192.16 set service "ALL"
8.102. next
0 edit 2
255.25 set name "from
5.255. ADVPN" set srcintf
0 "advpn" set dstintf
next "port1" set srcaddr
end "all"
end set dstaddr "all"
set action accept
set schedule
"always" set service
"ALL"
next
end

132