I was having a hard time getting BGP to establish and I think the issue is with the tunnel interface IPs. I found they would not respond to each other as I could see incoming traffic when running a sniffer, but there would be no response (e.g icmp echo but no reply). I could confirm the VPN tunnels were active because if I flushed them the SAs immediately renegotiate.
I think the problem is in the steps for the Hub Fortigate. On each Spoke, the guide directs you to enter a static route for the /24 used for the tunnel interfaces, but this step is missing from the Hub. If I try to ping a Spoke's tunnel IP from the Hub, I get "sendto failed". If I ping from Spoke to Hub, I just lose all of the packets.
I tested this by adding a static route for the /24 used by the tunnel IPs and pointed at the ADVPN interface just like the guide directs you to do for the Spokes. I was then able to ping between these interfaces.
With this in place, BGP finally came up after a little while. However, I could only get BGP to establish between the Hub and one Spoke. Traffic between these two is passing fine, but when I tried to pass traffic from the subnet behind Spoke #2 and the Hub, BGP wouldn't establish. The tunnel is up, but the tunnel interfaces aren't talking to each other. A sniffer on the Hub show that the pings from Spoke #2's tunnel interface IP are making it to the Hub and the Hub is replying, but those replies don't make it to Spoke #2. If I run the sniffer on Spoke #2, I only see the outbound pings from Spoke #2.
Edit: So I failed to mention that I'm testing this on 6.0.1. I found this 6.0 ADVPN guide
, but I'm getting a little confused on some of the config examples.
For example, when it directs to set the remote-ip
on the tunnel interface it doesn't include a subnet mask, but my Fortigates force me to provide a subnet mask:
FTG3_Lab (ADVPN) # set remote-ip
<class_ip&net_netmask> IP address and subnet mask (syntax = 220.127.116.11/24).
I'm not sure if the mask should be a /32 like I have assigned on my tunnel interfaces or a /24 like the static route on the spokes, but neither work.
Also, this guide directs you to use set auto-discovery-psk
in the phase 1 config on the hub, but fails to mention this attribute of the phase 1 config isn't available unless you set auth-mode signature
. This then requires a certificate attribute to be set. The only mentioning of the word certificate in this entire guide is "if certificates are confgured...". Sorry that I'm mostly complaining at this point, but when a technical guide gives partial config examples and later words them as optional, it makes it difficult to know if you done things right.
To expand upon this (and I literally just noticed it now while typing this edit), the 5.4 guide has comments on the bottom acknowledging command differences between 5.4, 5.6, and 6.0. This acknowledgement directs readers to KB article FD39360
. I am going to read the PDF linked in this KB article and see if I can get this working in 6.0. I apologize if it sounds like I'm complaining. I'm really just trying to help someone else out if they experience the same issues I have been with setting up ADVPN.
post edited by routetehpacketz - 2018/07/11 14:05:31