ADVPN
Lab 1:
Configure FGT01:
1. Interfaces
2. Static route:
management PC is from 172.16.100.0/24
3. VPN tunnel
4. Adjust Wizard created rules/policies
4.1. IKEv2
FGT01 # config vpn ipsec phase1-interface
FGT01 (phase1-interface) # edit Spokes
FGT01 (Spokes) # set ike 2
FGT01 (Spokes) # end
FGT01 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "Spokes"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Spokes (Created by VPN wizard)"
set wizard-type hub-fortigate-auto-discovery
set auto-discovery-sender enable
set psksecret ENC Wcq7m7MoqlMhS9lpSGFWXlj07emRbZxqhrLE3EweDyUrXXHDu8/BnfBjE9cUNG/83ZZA78F/pgFTvhnlhfol3c2AlyegdP1OQVgfeWu99sGldNZA8p6AlK3iVQLzMfaHoo2sD2YsNwjJMPoPnQUClZmLXe88Y8XsB40XbiHut3givQgVqILbRijWelBlj1nuMrGhxw==
next
end
4.2. BGP
Verify Route reflector client is still Enabled
4.3 Firewall Policy
Configure FGT02
1. Interface
2. Static route
3. VPN
4. Adjust Wizard generated configuraiton
4.1 VPN IKEv2
FGT02 # config vpn ipsec phase1-interface
FGT02 (phase1-interface) # edit Hub
FGT02 (Hub) # set ike 2
FGT02 (Hub) # end
FGT02 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Hub (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 172.16.11.1
set psksecret ENC uJk764X2pGMBFu5Tf9qPsH0xBNrwfndC1Vfr3L6LWY6DeCAkwXiS9sh2WNc/ZfUA0NMJTQNgvtXBO/mW99UZSXpED/Aq7C0MX4Is1IODdruUZQPvGwgT8Ibr5QNxUmy413gx8guH7VieG7rf8JJtkJ7RFIPypnrkeIgcZpdEEhq3U79pa6r+s2BjYE3MdmCs6YvGTg==
next
end
FGT02 (phase1-interface) # edit Hub
FGT02 (Hub) # set ike 2
FGT02 (Hub) # end
FGT02 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Hub (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 172.16.11.1
set psksecret ENC uJk764X2pGMBFu5Tf9qPsH0xBNrwfndC1Vfr3L6LWY6DeCAkwXiS9sh2WNc/ZfUA0NMJTQNgvtXBO/mW99UZSXpED/Aq7C0MX4Is1IODdruUZQPvGwgT8Ibr5QNxUmy413gx8guH7VieG7rf8JJtkJ7RFIPypnrkeIgcZpdEEhq3U79pa6r+s2BjYE3MdmCs6YvGTg==
next
end
4.2 BGP
4.3 Firewall policy
5. Verify VPN to FGT01 is up
6. Verify BGP
7. Verify VPN and BGP from CLI
FGT02 # get vpn ipsec tunnel sum
'Hub' 172.16.11.1:0 selectors(total,up): 1/1 rx(pkt,err): 17/0 tx(pkt,err): 18/1
FGT02 # get router info bgp sum
VRF 0 BGP router identifier 2.2.2.2, local AS number 65400
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.160.10.1 4 65400 9 9 1 0 0 00:04:29 1
Total number of neighbors 1
FGT02 #
'Hub' 172.16.11.1:0 selectors(total,up): 1/1 rx(pkt,err): 17/0 tx(pkt,err): 18/1
FGT02 # get router info bgp sum
VRF 0 BGP router identifier 2.2.2.2, local AS number 65400
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.160.10.1 4 65400 9 9 1 0 0 00:04:29 1
Total number of neighbors 1
FGT02 #
Configure FGT03
1. Interface
2. Static route
3. VPN
4. Adjust Wizard generated configuraiton
4.1 VPN IKE v2
FGT03 # config vpn ipsec phase1-interface
FGT03 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set peertype any
set net-device enable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Hub (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 172.16.11.1
set psksecret ENC 7pBMhO++cMPWUb/IuTJUdifxAZ0gWeKgt8mCsUEB7VNU0zfVSY0qzLr57Qb2pheSem0q05wwzlj17Byn7E5JZKHR+vl9Ca6fN5/DzfuxVYx3DvgS6lR/zWASKKwStBBeeIuXdtf0x3D8fO8UZIH3ImFy3McpcZMDtd1bB1ePH+EiDuVJu9IhBNmGGrlRw2EIjPFe0g==
next
end
FGT03 (phase1-interface) # edit Hub
FGT03 (Hub) # set ike 2
FGT03 (Hub) # end
FGT03 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Hub (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 172.16.11.1
set psksecret ENC 7pBMhO++cMPWUb/IuTJUdifxAZ0gWeKgt8mCsUEB7VNU0zfVSY0qzLr57Qb2pheSem0q05wwzlj17Byn7E5JZKHR+vl9Ca6fN5/DzfuxVYx3DvgS6lR/zWASKKwStBBeeIuXdtf0x3D8fO8UZIH3ImFy3McpcZMDtd1bB1ePH+EiDuVJu9IhBNmGGrlRw2EIjPFe0g==
next
end
FGT03 #
FGT03 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set peertype any
set net-device enable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Hub (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 172.16.11.1
set psksecret ENC 7pBMhO++cMPWUb/IuTJUdifxAZ0gWeKgt8mCsUEB7VNU0zfVSY0qzLr57Qb2pheSem0q05wwzlj17Byn7E5JZKHR+vl9Ca6fN5/DzfuxVYx3DvgS6lR/zWASKKwStBBeeIuXdtf0x3D8fO8UZIH3ImFy3McpcZMDtd1bB1ePH+EiDuVJu9IhBNmGGrlRw2EIjPFe0g==
next
end
FGT03 (phase1-interface) # edit Hub
FGT03 (Hub) # set ike 2
FGT03 (Hub) # end
FGT03 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "Hub"
set interface "port2"
set ike-version 2
set peertype any
set net-device enable
set proposal des-md5 des-sha1
set add-route disable
set dpd on-idle
set comments "VPN: Hub (Created by VPN wizard)"
set wizard-type spoke-fortigate-auto-discovery
set auto-discovery-receiver enable
set remote-gw 172.16.11.1
set psksecret ENC 7pBMhO++cMPWUb/IuTJUdifxAZ0gWeKgt8mCsUEB7VNU0zfVSY0qzLr57Qb2pheSem0q05wwzlj17Byn7E5JZKHR+vl9Ca6fN5/DzfuxVYx3DvgS6lR/zWASKKwStBBeeIuXdtf0x3D8fO8UZIH3ImFy3McpcZMDtd1bB1ePH+EiDuVJu9IhBNmGGrlRw2EIjPFe0g==
next
end
FGT03 #
4.2 BGP
4.3 Firewall Policy
5. Verify VPN to FGT01
6. Ver BGP
7. Verify from CLI:
before ping FGT02, only one tunnel to Hub.
FGT03 # get vpn ipsec tunnel sum
'Hub' 172.16.11.1:0 selectors(total,up): 1/1 rx(pkt,err): 50/0 tx(pkt,err): 51/1
FGT03 #
'Hub' 172.16.11.1:0 selectors(total,up): 1/1 rx(pkt,err): 50/0 tx(pkt,err): 51/1
FGT03 #
After sending some traffic to FGT02, a dynamic tunnel to FGT02 is established automatically.
FGT03 # exe ping 20.20.20.20
PING 20.20.20.20 (20.20.20.20): 56 data bytes
64 bytes from 20.20.20.20: icmp_seq=0 ttl=254 time=3.4 ms
64 bytes from 20.20.20.20: icmp_seq=1 ttl=254 time=1.7 ms
64 bytes from 20.20.20.20: icmp_seq=2 ttl=254 time=1.8 ms
64 bytes from 20.20.20.20: icmp_seq=3 ttl=254 time=1.9 ms
64 bytes from 20.20.20.20: icmp_seq=4 ttl=254 time=2.7 ms
--- 20.20.20.20 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.7/2.3/3.4 ms
FGT03 #
FGT03 #
FGT03 # get vpn ipsec tunnel sum
'Hub' 172.16.11.1:0 selectors(total,up): 1/1 rx(pkt,err): 57/0 tx(pkt,err): 58/1
'Hub_0' 172.16.22.1:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/0
FGT03 #
Comments
Post a Comment