Thursday, October 21, 2021

Fortigate 6.x ADVPN on secondary IP 

ADVPN on Secondary IP 

Hub 
config vpn ipsec phase1-interface
    edit "ADVPN123"
        set type dynamic
        set interface "DMZ1"
        set local-gw XXX.XXX.XXX.XXX  <-- this command on hub is telling FGT that this ADVPN123 is accepting traffic on this public IP
        set peertype any
        set net-device disable
        set proposal 
        set add-route disable
        set dpd on-idle
        set dhgrp 2
        set auto-discovery-sender enable
        set tunnel-search nexthop
        set psksecret ENC 
        set dpd-retryinterval 5

config vpn ipsec phase2-interface
    edit "ADVPN123"
        set phase1name "ADVPN123"
        set proposal 
    next

config system interface 
    edit "ADVPN123"
        set vdom "CORE"
        set ip 10.7.123.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.7.123.254 255.255.255.0
        set interface "vD1-DMZ1"
    next

config router bgp 

    config neighbor-group
        edit "ADVPN123"
            set link-down-failover enable
            set remote-as 65501
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 123
            set prefix 10.7.123.0 255.255.255.0
            set neighbor-group "ADVPN123"
        next

then config firewall policy 

spoke 

config vpn ipsec phase1-interface
    edit "ADVPN"
        set interface "wan"
        set peertype any
        set net-device enable
        set proposal 
        set dpd on-idle
        set dhgrp 2
        set auto-discovery-receiver enable
        set remote-gw XXX.XXX.XXX.XXX
        set psksecret ENC 
        set dpd-retryinterval 5
    next
end

VIC-TEMP-FW # sh vpn ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "ADVPN"
        set phase1name "ADVPN"
        set proposal 
        set auto-negotiate enable
    next
end

config system interface 

    edit "ADVPN"
        set vdom "root"
        set ip 10.7.123.12 255.255.255.255
        set allowaccess ping https ssh snmp http
        set type tunnel
        set remote-ip 10.7.123.1 255.255.255.0
        set interface "wan"
    next

config router bgp
    set as 65501
    set ebgp-multipath enable
    config neighbor
        edit "10.7.123.1"
            set advertisement-interval 1
            set link-down-failover enable
            set remote-as 65501
        next
    end
    config network
        edit 1
            set prefix 10.99.16.0 255.255.255.0
        next

then config firewall policy 
but if you see "recursive via ..." in routing table and can not reach network in hub

config router static 
    edit 3
        set dst 10.64.128.0 255.255.224.0
        set device "ADVPN"
    next
    edit 2
        set dst 10.64.32.0 255.255.224.0
        set device "ADVPN"
    next
Posted by at No comments:
Subscribe to: Comments (Atom)