Scribd
Upload
14 views7 pages

Hub 1

The document configures a hub site for an ADVPN network with 4 IPsec tunnels across 2 interfaces. It sets up interfaces, BGP neighbors, firewall policies, and addresses to allow spoke-to-spoke connectivity over the IPsec tunnels.

Uploaded by

aripang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
14 views7 pages

Hub 1

The document configures a hub site for an ADVPN network with 4 IPsec tunnels across 2 interfaces. It sets up interfaces, BGP neighbors, firewall policies, and addresses to allow spoke-to-spoke connectivity over the IPsec tunnels.

Uploaded by

aripang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

config system global

set hostname Hub1


set timezone 53
end

config system interface


edit port1
set mode static
set ip 192.168.101.1/24
set allowaccess ping http ssh
set role wan
set alias Internet1
next

edit port2
set ip 192.168.102.1/24
set allowaccess ping http ssh
set role wan
set alias Internet2
next

edit port3
set ip 10.1.0.254/24
set role lan
set alias LAN
set allowaccess ping http ssh
next
end

config system sdwan


set status enable
config members
edit 0
set interface port1
set gateway 192.168.101.254
next
edit 0
set interface port2
set gateway 192.168.102.254
next
end
end

config router static


edit 0
set sdwan enable
end

config system sdwan


config health-check
edit "Default_Google Search"
set member 1 2
end
end

config firewall policy


edit 0
set name "LAN-to-Internet"
set srcintf port3
set dstintf virtual-wan-link
set srcaddr all
set dstaddr all
set schedule always
set action accept
set service ALL
set nat enable
set logtraffic all
end

config system settings


set tcp-session-without-syn enable
end
config vpn ipsec phase1-interface
edit "inet-111"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 1
set tunnel-search nexthop
set ipv4-start-ip 10.255.1.10
set ipv4-end-ip 10.255.1.253
set ipv4-netmask 255.255.255.0
set psksecret fortinet
set dpd-retryinterval 60
next
edit "inet-112"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 2
set tunnel-search nexthop
set ipv4-start-ip 10.255.2.10
set ipv4-end-ip 10.255.2.253
set ipv4-netmask 255.255.255.0
set psksecret fortinet
set dpd-retryinterval 60
next
edit "inet-121"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 5
set tunnel-search nexthop
set ipv4-start-ip 10.255.5.10
set ipv4-end-ip 10.255.5.253
set ipv4-netmask 255.255.255.0
set psksecret fortinet
set dpd-retryinterval 60
next
edit "inet-122"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 6
set tunnel-search nexthop
set ipv4-start-ip 10.255.6.10
set ipv4-end-ip 10.255.6.253
set ipv4-netmask 255.255.255.0
set psksecret fortinet
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "inet-111_p2"
set phase1name "inet-111"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
edit "inet-112_p2"
set phase1name "inet-112"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
edit "inet-121_p2"
set phase1name "inet-121"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
edit "inet-122_p2"
set phase1name "inet-122"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
end
config system interface
edit "VPNLoop"
set vdom "root"
set type loopback
set allowaccess ping
set ip 10.255.127.254 255.255.255.255
next
edit "inet-111"
set vdom "root"
set ip 10.255.1.254 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.1.10 255.255.255.0
set interface "port1"
next
edit "inet-112"
set vdom "root"
set ip 10.255.2.254 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.2.10 255.255.255.0
set interface "port1"
next
edit "inet-121"
set vdom "root"
set ip 10.255.5.254 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.5.10 255.255.255.0
set interface "port2"
next
edit "inet-122"
set vdom "root"
set ip 10.255.6.254 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.6.10 255.255.255.0
set interface "port2"
next
end
config router bgp
set as 65000
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
config neighbor-group
edit "inet-111"
set advertisement-interval 1
set link-down-failover enable
set next-hop-self enable
set soft-reconfiguration enable
set interface "inet-111"
set remote-as 65000
set update-source "inet-111"
set additional-path send
set adv-additional-path 4
set route-reflector-client enable
next
edit "inet-112"
set advertisement-interval 1
set link-down-failover enable
set next-hop-self enable
set soft-reconfiguration enable
set interface "inet-112"
set remote-as 65000
set update-source "inet-112"
set additional-path send
set adv-additional-path 4
set route-reflector-client enable
next
edit "inet-121"
set advertisement-interval 1
set link-down-failover enable
set next-hop-self enable
set soft-reconfiguration enable
set interface "inet-121"
set remote-as 65000
set update-source "inet-121"
set additional-path send
set adv-additional-path 4
set route-reflector-client enable
next
edit "inet-122"
set advertisement-interval 1
set link-down-failover enable
set next-hop-self enable
set soft-reconfiguration enable
set interface "inet-122"
set remote-as 65000
set update-source "inet-122"
set additional-path send
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
edit 0
set prefix 10.255.1.0 255.255.255.0
set neighbor-group "inet-111"
next
edit 0
set prefix 10.255.2.0 255.255.255.0
set neighbor-group "inet-112"
next
edit 0
set prefix 10.255.5.0 255.255.255.0
set neighbor-group "inet-121"
next
edit 0
set prefix 10.255.6.0 255.255.255.0
set neighbor-group "inet-122"
next
end
config network
edit 0
set prefix 10.1.0.0 255.255.255.0
next
end
end
config firewall address
edit "RFC_1918_10"
set subnet 10.0.0.0 255.0.0.0
next
edit "RFC_1918_172_16"
set subnet 172.16.0.0 255.240.0.0
next
edit "RFC_1918_192_168"
set subnet 192.168.0.0 255.255.0.0
next
edit "Hub-HC"
set subnet 10.255.127.254 255.255.255.255
next
end
config firewall addrgrp
edit "RFC_1918_ALL"
set member "RFC_1918_10" "RFC_1918_172_16" "RFC_1918_192_168"
next
end
config router policy
edit 0
set input-device "inet-111"
set output-device "inet-111"
next
edit 0
set input-device "inet-112"
set output-device "inet-112"
next
edit 0
set input-device "inet-121"
set output-device "inet-121"
next
edit 0
set input-device "inet-122"
set output-device "inet-122"
next
end
## Firewall policy is require for VPN to stand up - please lockdown these policies
as appropriate
config firewall policy
edit 0
set name "ADVPN Spoke to Spoke"
set srcintf "inet-111" "inet-112" "inet-121" "inet-122"
set dstintf "inet-111" "inet-112" "inet-121" "inet-122"
set srcaddr "RFC_1918_ALL"
set dstaddr "RFC_1918_ALL"
set action accept
set schedule "always"
set service "ALL"
set anti-replay disable
set tcp-session-without-syn all
set logtraffic disable
next
edit 0
set name "ADVPN Out"
set srcintf "any"
set dstintf "inet-111" "inet-112" "inet-121" "inet-122"
set srcaddr "RFC_1918_ALL"
set dstaddr "RFC_1918_ALL"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 0
set name "ADVPN In"
set srcintf "inet-111" "inet-112" "inet-121" "inet-122"
set dstintf "any"
set srcaddr "RFC_1918_ALL"
set dstaddr "RFC_1918_ALL"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 0
set name "ADVPN Hub HC"
set srcintf "inet-111" "inet-112" "inet-121" "inet-122"
set dstintf "VPNLoop"
set srcaddr "all"
set dstaddr "Hub-HC"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end

You might also like