Hi Guys,

Have everyone ever tried to config ADVPN with OSPF before? I am planning deploy ADVPN with OSPF between HQ and Brachs on next month. I want to do a lab with 1 Hub and 2 Spoke fisrt and follow the admin guide document, I have configured VPN and OSPF on all FG devices but the result is not as expected. All spoke can see the route from other, but the route always show the nexthop is Hub's IP. It means that spokes cannot establish neighbor together and cannot forward traffic directly.

+ HERE IS CONFIGURATION:

******* VPN config*********

- HUB:

config vpn ipsec phase1-interface edit "Hub2Spokes" set type dynamic set interface "port1" set peertype any set net-device enable set proposal des-md5 des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable set psksecret ENC nsxqpsDPxjEVIkzt0I9tuJiVs+O2EesJODHPR21JdhMCbJNAxRwCNHmt4r9e7cBAdTGpRTbhegAA6yiVlgMaV0cNrP80m/7cVY2OdvRJWanFKO0yqnDR/ifXfT8NUo6UiljRzTkq6+fgD3+RCH8Bvw0Fy5rVu2unDl+hjh0bmmaFF70myq9u2hwbHuX6aCjGz08n3A== set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "Hub2Spokes_P2" set phase1name "Hub2Spokes" set proposal des-md5 des-sha1 next end

Config system interface

edit "Hub2Spokes" set vdom "root" set ip 192.168.150.253 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 192.168.150.254 255.255.255.0 set snmp-index 13 set interface "port1" next

- SPOKES:

config vpn ipsec phase1-interface edit "Spoke_2Hub" set interface "port1" set peertype any set net-device enable set proposal des-md5 des-sha1 set add-route disable set dpd on-idle set auto-discovery-receiver enable set remote-gw 172.16.5.41 set psksecret ENC zeR62T4O2lwOpmUPCCrW3k9v+AInaP11ZZDl42PT4/TAkMtDE8YWdTB6fTNCmyp8cbxao/AeR9XjltVUOt9gVpp0QPT5PiKjYvo494dM9DkOoxuUr7TiXI2vtheQ/jS93+U7QDBvSQwCDFx3Q3tayQVCdiZQMzrPeM/IPK7+bomQMOKfSN8knH4dd2KXixhmlbSsHw== set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "Spoke_2Hub" set phase1name "Spoke_2Hub" set proposal des-md5 des-sha1 set auto-negotiate enable next end

Config system interface

edit "Spoke_2Hub" set vdom "root" set ip 192.168.150.2 255.255.255.255 (Spoke 2 is 192.168.150.3) set allowaccess ping set type tunnel set remote-ip 192.168.150.253 255.255.255.0 set snmp-index 13 set interface "port1" next

*********OSPF Config************

+ HUB:

config router ospf set router-id 1.1.1.1 config area edit 0.0.0.0 next end config network edit 1 set prefix 1.1.1.1 255.255.255.255 next edit 2 set prefix 192.168.150.0 255.255.255.0 next end

- SPOKE1:

config router ospf set router-id 2.2.2.2 config area edit 0.0.0.0 next end config network edit 1 set prefix 2.2.2.2 255.255.255.255 next edit 2 set prefix 192.168.150.0 255.255.255.0 next end

- SPOKE2:

config router ospf set router-id 3.3.3.3 config area edit 0.0.0.0 next end config network edit 1 set prefix 3.3.3.3 255.255.255.255 next edit 2 set prefix 192.168.150.0 255.255.255.0 next end

************RESULTS************

I have tried to set ospf-interface network type to point-to-multipoint but still not fix the problem. The attached files is the configuration of all FG devices and the routing table of OSPF.

Have anyone help me to figure what are configuration that I missed?

PS: As the admin guide, for FortiOS version 6.2.8, the net-device (enable) and tunnel-search (nexthop) must set on Hub, but as I see, if the net-device is set to enable, the tunnel-search command does not exist in the CLI.

I have also tried setup ADVPN and OSPF with latest fortiOS 7.1, but the result is same.

Hope everyone can help me.

Best regards,