SHARIFUL's TECH BLOG

In part I , we have configured dial-up IPSec tunnel at the Hub1 and eliminated any configuration change required at the Hub/HQ site when a new Spoke/Branch is added to the network. But there is a limitation. That is even though we have achieved configuration flexibility, our underlying topology is still hub-and-spoke. All spoke-to-spoke communication goes through the hub first. With ADVPN we can remove that limitation. We can achieve a fully meshed network by using ADVPN (Auto Discovery VPN). How ??? If someone is familiar with Cisco's DMVPN, the concepts are same here. Instead Fortinet's calls their implementation ADVPN . Before explaining how ADVPN works, have a look at our physical and routing topology from part I -  ADVPN Physical Topology ADVPN Routing Topology For example, when Spoke2 tries to communicate with Spoke3 - as usual traffic goes to the  Hub1. Hub1 knows the whole network topology. When Hub1 sees that two spokes are trying to communic...

This is the first part of a series where we will look at Fortigate's ADVPN (Auto Discovery VPN) implementation and how it works. As usual the question - what is ADVPN and why do we need it. Let's do an example topology. We have a hub (Central/HQ site) and spoke (Branch site) consisting of 21 nodes (1+20). As this is a hub-and-spoke topology all the inter-site communication goes through Hub/Central site. All the traffic between sites is encrypted by IPSec. Now 21st site comes online. What we will need at least to connect this new spoke with the rest of the network is - At the HUB - A new IPSec site-to-site tunnel configuration. New dynamic routing configuration so that hub can send and receive routing information to spoke. Firewall rules adjustments. At the Spoke (new site) A new IPSec site-to-site tunnel configuration. New dynamic routing configuration so that spoke can send and receive routing information to hub. Firewall rules adjustments. What if there ...