Technical Note: How to mix ADVPN-aware and non-ADVPN-aware spokes within the same ADVPN Hub-and-Spoke architecture

sha-1_FTNT · ‎03-24-2017

Description

This article describes how to mix two types of Spokes within the same ADVPN Hub-and-Spoke architecture:

- Spokes which have support for Fortinet ADVPN (FortiOS 5.4 or newer),

- Spokes which does not have any support for Fortinet ADVPN (FortiOS 5.2 or earlier, other vendors)

If a Spoke runs a firmware older than FortiOS 5.4 or if it is an IPsec Gateway from another vendor, it can still participate to the Hub & Spoke architecture but it will not be able to negotiate shortcuts with other Spokes.

Connecting ADVPN and non-ADVPN IPsec gateways on the same Hub’s phase1 requires specific configuration on the Hub and the non-ADVPN gateways.

This article is a complement to the related KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)” which details Fortinet ADVPN principles and configuration (IPsec and BGP).

Scope

Fortinet Auto Discovery VPN (ADVPN) is available as of FortiOS 5.4

Solution

Diagram

The same design as KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)” is used.

In summary:

·         The Hub protects LAN subnet 192.168.1.0/24
·         The Hub’s overlay IP (i.e., its tunnel IP) is 10.10.10.1

·         Each Spoke protects a LAN subnet 192.168.x.0/24 where x is the Spoke’s ID (e.g., Spoke-02 protects subnet 192.168.2.0/24)
·         Each Spoke’s overlay IP is 10.10.10.x where x is the Spoke’s ID (e.g., Spoke-02 overlay IP is 10.10.10.2)

ADVPN-aware and non-ADVPN-aware spokes within the same ADVPN Hub-and-Spoke architecture

Configuration

IPsec

This section describes:
-      the IPsec configuration change which must be done on the Hub
-      the IPsec configuration which must be used on the non-ADVPN-aware FortiGates (FortiOS 5.2 or earlier)

The IPsec configuration of the ADVPN-aware Spokes (FortiOS 5.4 or newer) remain identical. No configuration change is needed.
See KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)”.

BGP

The BGP configuration is unchanged on the Hub.
The BGP configuration of non-ADVPN-aware Spokes is identical to the BGP configuration of ADVPN-aware Spokes.
See KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)”.

The problem

As part of ADVPN a new mechanism was added that allows a Spoke to dynamically advertise its overlay IP address to the Hub during IKE SA negotiation (phase1).
On the Hub, this overlay IP is associated to the Spoke’s dialup tunnel.

This IP is required for BGP peering.

Non-ADVPN-aware Spokes have no such phase1 feature.
An alternative way for advertising the overlay IP to the Hub must therefore be used.

The solution

Spoke’s protected subnet(s) can be advertised to the Hub during IPsec SA negotiation (quick-mode / phase2).
The Hub can be instructed to add a route back to the Spoke for this/these subnet(s). This is called reverse route injection or IKE routes.

This mechanism can be used to advertise a Spoke’s overlay IP to its Hub.

The solution consists in configuring:
·         non-ADVPN spokes with an additional phase2 used to advertise their overlay IP during an IPsec SA negotiation (phase2)
·         the Hub with an additional phase2 used to learn non-ADVPN spokes overlay IP and inject a route back (IKE routes)


IPsec configuration change required on the Hub

The phase1 configuration remains identical:

config vpn ipsec phase1-interface
    edit "Spoke"
        set type dynamic
        set interface "port2"
        set proposal aes128-sha1
        set add-route disable
        set auto-discovery-sender enable
        set psksecret someSecureSecretKey
    next
end

Only a new phase2 must be added:

When mixing ADVPN and non-ADVPN Spokes

With ADVPN-only Spokes

config vpn ipsec phase2-interface
    edit "Spoke"
        set phase1name "Spoke"
        set proposal aes128-sha1
next
    edit "Overlay_advertisement"
        set phase1name "Spoke"
        set proposal aes128-sha1
       set add-route enable
        set comments "Used by legacy Spokes (non-ADVPN aware) to advertise their overlay IP"
        set dst-subnet 10.10.10.0 255.255.255.0
    next
end

"add-route enable" is for reverse-route injection (IKE routes)

10.10.10.0/24 is the overlay subnet covering the overlay IP addresses of all Spokes.

config vpn ipsec phase2-interface
    edit "Spoke"
        set phase1name "Spoke"
        set proposal aes128-sha1
next
end

It is MANDATORY that the name of the additional phase2 (here, "Overlay_advertisement") be in alphabetic order before the name of the regular phase2 (here, "Spoke").

This is because phase2 look up is done in alphabetic order.

The configuration of the additional phase2 ("Overlay_advertisement") being more specific than the regular phase2 ("Spoke"), it is therefore mandatory that it be matched first.

The phase2 order can be confirmed with:

Hub # diag vpn ike config list

vd: root/0
name: Spoke
serial: 1
version: 1
status.admin: up
status.operational: up
type: dynamic
local: 198.51.100.1
mode: main
dpd: on-demand retry-count 3 interval 20000ms
auth: psk
dhgrp: 14 5
fragmentation: enable
xauth: none
interface: port2
virtual-interface-addr: 10.10.10.1 -> 10.10.10.254
auto-discovery-sender: enable enable
auto-discovery-receiver: disable
add-route: disable
phase2s:
Overlay_advertisement proto 0 src 0.0.0.0/0.0.0.0:0 dst 10.10.10.0/255.255.255.0:0 dhgrp 14 5 replay add-route route-new
Spoke proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 14 5 replay !add-route route-new
policy: yes

This is the only extra configuration needed on the Hub should non-ADVPN-aware Spokes need to be part of an ADVPN Hub-and-Spoke architecture.

The rest of the configuration is identical to the only-ADVPN-spokes scenario.
See KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)”.

IPsec configuration for non-ADVPN-aware FortiGates

config system interface
edit "Hub"

set vdom "root"

set ip 10.10.10.4 255.255.255.255 // the overlay IP of this Spoke
set allowaccess ping

        set type tunnel
        set remote-ip 10.10.10.1            // the overlay IP of the Hub
set interface "port2"
    next
end

config vpn ipsec phase1-interface
    edit "Hub"
        set interface "port2"
        set proposal aes128-sha1
        set remote-gw 198.51.100.1
        set psksecret someSecureSecretKey
    next
end

config vpn ipsec phase2-interface
    edit "Hub_overlayIP"
        set comments "For advertising the overlay IP to the Hub"
        set phase1name "Hub"
        set proposal aes128-sha1
        set keepalive enable
        set auto-negotiate enable
        set src-addr-type ip
        set src-start-ip 10.10.10.4         // the overlay IP of this Spoke
    next
    edit "Hub_traffic"
        set comments "For carrying data traffic"
        set phase1name "Hub"
        set proposal aes128-sha1
        set keepalive enable
        set auto-negotiate enable
    next
end

Again, it is MANDATORY that the name of the additional phase2 (here, "Hub_overlayIP") be in alphabetic order before the name of the regular phase2 (here, "Hub_traffic")

The phase2 order can be confirmed with:

Spoke04 # diagnose vpn ike config list

vd: root/0
name: Hub
serial: 1
version: 1
type: static
local: 0.0.0.0
remote: 198.51.100.1
mode: main
dpd: enable retry-count 3 interval 60000ms
auth: psk
dhgrp: 14 5
fragmentation: enable
xauth: none
interface: port2
phase2s:
Hub_overlayIP proto 0 src 10.10.10.4:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 14 5 replay keep-alive auto-negotiate
Hub_traffic proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0 dhgrp 14 5 replay keep-alive auto-negotiate
policy: yes

The BGP configuration is identical to the configuration detailed in KB article “Technical Note: Fortinet Auto Discovery VPN (ADVPN)”.

Related Articles

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)