一、组网需求

传统的Hub-Spoke方式中,Spoke只能和Hub建立永久隧道,Spoke之间的流量需要通过Hub来转发,这种方式减轻了Spoke的负担,增加了 Hub的性能要求,同时利于总部对分支间流量的监控;使用ADVPN技术实现的Full-Mesh方式中,Spoke之间可以建立动态直连隧道,分支间的流量可以直接转发。相比而言,Hub负担减轻,同时减少分支间流量的延迟,更有利于VOIP等实时流量的传输,在实际使用的过程中可按照自身需求进行选择。

     如图所示,HUB和SPOKE之间需要通过建立ADVPN实现所有分支机构和总部,以及分支机构之间的IPsec VPN的FULL-MESH互联。

二、网络拓扑

ADVPN实现拓扑图:


通过动态路由学习到整网的业务网段路由,配置举例拓扑图:

VPN Tunnel IP地址分配,以及BGP的规划:

三、配置要点

1、配置FortiGate1

    1)基本上网配置

    2)HUB端的ADVPN的配置

2、配置FortiGate2

    1)基本上网配置

    2)SPOKE(SH)端的ADVPN的配置

3、配置FortiGate3

    1)基本上网配置

    2)SPOKE(GZ)端的ADVPN的配置

说明:如果要删除IPSEC VPN第一阶段、第二阶段时,需要先删除被调用的路由与防火墙安全策略。

四、配置步骤

1、配置FortiGate1 (BJ)---HUB--- FortiGate1-HQ-BJ

1) 基本上网配置

配置详细过程请参照 "路由模式典型功能--单线上网--静态地址线路上网配置"一节:

接口IP配置如下:

    

路由配置如下

2)HUB端的ADVPN的配置

配置IPsec VPN第一阶段

config vpn ipsec phase1-interface

    edit "ADVPN"

        set type dynamic

        set interface "port1"

        set peertype any

        set proposal des-md5 des-sha1

        set dpd on-idle

        set add-route disable

        set auto-discovery-sender enable

        set net-device disable

        set tunnel-search nexthop

        set psksecret Fortinet123#

        set dpd-retryinterval 60

    next

end 

注意:

1.由于总部需要与各种不通类型(静态IP/PPPOE)的SPOKE之间建立IPsec VPN,因此HUB需选择dynamic模式

2.新版本ADVPN主模式和野蛮模式,旧版本不支持野蛮模式,通常我们选择主模式即可

3.由于使用了BGP动态路由协议,因此需要关闭自动添加路由的功能“add-route disable

4.HUB侧需要开启“auto-discovery-sender enable”,以便接收与发送Spoke之间的直连隧道互联信息。(Hub响应信息,让Spoke知道它应该去连接哪个公网IP的动态隧道)

5.“net-device disable”是新版本的默认方式,保持默认的disable即可

6.“tunnel-search nexthop”由于需要通过路由去查找路由的下一跳,因此选择成nexthop,而不选择感兴趣流

配置IPsec VPN第二阶段

config vpn ipsec phase2-interface

    edit "ADVPN"

        set phase1name "ADVPN"

        set proposal des-md5 des-sha1

        set keepalive enable

    next

end

配置IPsec VPN隧道IP

config system interface

    edit "ADVPN"

        set vdom "root"

        set ip 10.10.10.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.254 255.255.255.0  10.10.10.254并非真实存在的一个IP,选择一个不存在的预留IP地址

        set role lan

        set interface "port1"

    next

end

注意:1.remote-ip 10.10.10.254是不被Spoke所使用的预留IPIPsec Tunnel是一个点对点的隧道,但是ADVPN中这条隧道需要同时对应多个SPOKE,因此不能将Remote IP写成一个存在的SPOKEIP

配置BGP和路由反射器

config router bgp

    set as 100

    set router-id 10.10.10.1

    config neighbor-group                                    --neighbor-group特性

        edit "ADVPN-PEERS"

            set remote-as 100

            set route-reflector-client enable             --设置RR(路由反射器)

        next

    end

    config neighbor-range

        edit 1

            set prefix 10.10.10.0 255.255.255.0          

            set neighbor-group "ADVPN-PEERS"

        next

    end

    config network

        edit 1

            set prefix 192.168.0.0 255.255.255.0           -发布路由

        next

    end

注意:1.利用BGP neighbor-group特性,只要匹配前缀列表10.10.10.0/24BGP-Peer均可以和HUB建立BGP邻居。

2.将邻居设置为Route-Reflector-Client,自己即为路由反射器(Route-Reflector,通过路由反射器原理实时同步整网路由。

策略配置

config firewall policy

    edit 2

        set name "VPN-IN"

        set srcintf "ADVPN"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 3

        set name "VPN-OUT"

        set srcintf "port2"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 4

        set name "SPOKE-TO-SPOKE"       

        set srcintf "ADVPN"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

                      

注意:一定注意配置ADVPNADVPN之间(SPOKE之间)的放通策略

2、配置FortiGate2 (SH)---SPOKE--- FortiGate2-Branch-SH

1) 基本上网配置

    接口IP配置如下:          

     

 路由通过DHCP自动获取到默认路由:

2)SPOKE(SH)端的ADVPN的配置

配置IPsec VPN第一阶段

config vpn ipsec phase1-interface

    edit "ADVPN"

        set interface "port1"

        set peertype any

        set proposal des-md5 des-sha1

        set add-route disable

        set auto-discovery-receiver enable

        set remote-gw 100.1.1.1

        set psksecret Fortinet123#

    next

end

注意:

1.  由于总部HUB的公网IP是固定的,因此分部配置静态的IPsec VPN

2.  Spoke侧需要开启“auto-discovery-receiver enable”,以便接收HubADVPN信息

3.  同样由于Spoke需要使用BGP动态路由协议,因此需要关闭自动添加路由属性(add-route disable

配置IPsec VPN第二阶段

config vpn ipsec phase2-interface

    edit "ADVPN"

        set phase1name "ADVPN"

        set proposal des-md5 des-sha1

        set auto-negotiate enable

    next

end

配置IPsec VPN隧道IP

config system interface

    edit "ADVPN"

        set vdom "root"

        set ip 10.10.10.2 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.1 255.255.255.0   // 指向HUB的隧道IP地址

        set role lan 

       set interface “port1”

    next

end

配置BGP并发布业务路由

config router bgp

    set as 100

    set router-id 10.10.10.2

    config neighbor

        edit "10.10.10.1"                      \\只需要与HUB建立BGP邻居即可

            set remote-as 100

        next

    end

    config network

        edit 1

            set prefix 192.168.1.0 255.255.255.0   \\发布业务网段

        next

end

策略配置

config firewall policy

    edit 2

        set name "VPN-IN"

        set srcintf "ADVPN"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 3

        set name "VPN-OUT"

        set srcintf "port2"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next 

3、配置FortiGate3 (GZ)---SPOKE--- FortiGate3-Branch-GZ

1) 基本上网配置

 接口IP配置如下:          

路由通过PPPOE自动获取到默认路由:

2)SPOKE(GZ)端的ADVPN的配置

配置IPsec VPN第一阶段

config vpn ipsec phase1-interface

    edit "ADVPN"

        set interface "port1"

        set peertype any

        set proposal des-md5 des-sha1

        set add-route disable

        set auto-discovery-receiver enable

        set remote-gw 100.1.1.1

        set psksecret Fortinet123#

    next

end

注意:

1.  由于总部HUB的公网IP是固定的,因此分部配置静态的IPsec VPN

2.  Spoke侧需要开启“auto-discovery-receiver enable”,以便接收HubADVPN信息

3.  同样由于Spoke需要使用BGP动态路由协议,因此需要关闭自动添加路由属性(add-route disable

配置IPsec VPN第二阶段

config vpn ipsec phase2-interface

    edit "ADVPN"

        set phase1name "ADVPN"

        set proposal des-md5 des-sha1

        set auto-negotiate enable

    next

end

配置IPsec VPN隧道IP

config system interface

    edit "ADVPN"

        set vdom "root"

        set ip 10.10.10.3 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 10.10.10.1 255.255.255.0   // 指向HUB的隧道IP地址

        set role lan

           set interface “port1”

    next

end

配置BGP并发布业务路由

config router bgp

    set as 100

    set router-id 10.10.10.2

    config neighbor

        edit "10.10.10.1"                      \\只需要与HUB建立BGP邻居即可

            set remote-as 100

        next

    end

    config network

        edit 1

            set prefix 192.168.2.0 255.255.255.0   \\发布业务网段

        next

end

策略配置

config firewall policy

    edit 2

        set name "VPN-IN"

        set srcintf "ADVPN"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

    edit 3

        set name "VPN-OUT"

        set srcintf "port2"

        set dstintf "ADVPN"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next 


以上HUB/Spoke1/Spoke2全部配置完毕。

五、检查配置结果

SPOKE1SPOKE2之间无任何流量访问的时候,HUB/SPOKE1/SPOKE2状态观察:

HUB(BJ)状态

HUB IPsec VPN建立情况:

Monitor--->IPsec Monitor

HUB路由学习情况:

Monitor--->Routing Monitor

FortiGate1-HQ-BJ #  get router info routing-table all

S*      0.0.0.0/0 [10/0] via 100.1.1.254, port1

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.1/32 is directly connected, ADVPN

C       100.1.1.0/24 is directly connected, port1

C       192.168.0.0/24 is directly connected, port2

B       192.168.1.0/24 [200/0] via 10.10.10.2, ADVPN, 07:56:26

B       192.168.2.0/24 [200/0] via 10.10.10.3, ADVPN, 07:57:58

SPOKE1(SH)状态

SPOKE1 IPsec VPN建立情况(只和HUB建立IPsec):

Monitor--->IPsec Monitor

SPOKE1路由学习情况:

Monitor--->Routing Monitor

FortiGate2-Branch-SH # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 101.1.1.254, port1

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.2/32 is directly connected, ADVPN

C       101.1.1.0/24 is directly connected, port1

B       192.168.0.0/24 [200/0] via 10.10.10.1, ADVPN, 07:55:45

C       192.168.1.0/24 is directly connected, port2

B       192.168.2.0/24 [200/0] via 10.10.10.3, ADVPN, 07:55:45

S       192.168.91.0/24 [10/0] is directly connected, port1

SPOKE2(GZ)状态

SPOKE2 IPsec VPN建立情况(只和HUB建立IPsec):

Monitor--->IPsec Monitor

SPOKE2路由学习情况:

Monitor--->Routing Monitor

FortiGate3-Branch-GZ # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 102.1.1.254, ppp0

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.3/32 is directly connected, ADVPN

C       102.1.1.1/32 is directly connected, ppp0

C       102.1.1.254/32 is directly connected, ppp0

B       192.168.0.0/24 [200/0] via 10.10.10.1, ADVPN, 08:02:06

B       192.168.1.0/24 [200/0] via 10.10.10.2, ADVPN, 08:00:15

C       192.168.2.0/24 is directly connected, port2

S       192.168.91.0/24 [10/0] via 102.1.1.254, ppp0


Spoke和Spoke之间业务互访后设备状态观察

一旦发起SPOKE1SPOKE2之间的互访将立马触发ADVPN机制,使得SPOKE1SPOKE2之间动态协商出一条直连的IPsec VPN隧道。接下来我们观察一下,SPOKE1SPOKE2有流量访问并触发建立了动态IPsec VPN隧道时HUB/SPOKE1/SPOKE2的状态:

FortiGate2-Branch-SH # execute ping-options source 192.168.1.99

FortiGate2-Branch-SH # execute ping 192.168.0.99

PING 192.168.0.99 (192.168.0.99): 56 data bytes

64 bytes from 192.168.0.99: icmp_seq=0 ttl=255 time=1.7 ms

64 bytes from 192.168.0.99: icmp_seq=1 ttl=255 time=1.4 ms

64 bytes from 192.168.0.99: icmp_seq=2 ttl=255 time=1.1 ms

64 bytes from 192.168.0.99: icmp_seq=3 ttl=255 time=1.2 ms

64 bytes from 192.168.0.99: icmp_seq=4 ttl=255 time=1.2 ms

--- 192.168.0.99 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 1.1/1.3/1.7 ms


FortiGate2-Branch-SH # execute ping 192.168.2.99            // Spoke和Spoke之间流量触发

PING 192.168.2.99 (192.168.2.99): 56 data bytes

64 bytes from 192.168.2.99: icmp_seq=0 ttl=254 time=3.0 ms

64 bytes from 192.168.2.99: icmp_seq=3 ttl=255 time=1.2 ms

64 bytes from 192.168.2.99: icmp_seq=4 ttl=255 time=1.2 ms

--- 192.168.2.99 ping statistics ---

5 packets transmitted, 3 packets received, 40% packet loss

round-trip min/avg/max = 1.2/1.8/3.0 ms


FortiGate2-Branch-SH # execute ping 192.168.2.99

PING 192.168.2.99 (192.168.2.99): 56 data bytes

64 bytes from 192.168.2.99: icmp_seq=0 ttl=255 time=1.3 ms

64 bytes from 192.168.2.99: icmp_seq=1 ttl=255 time=1.4 ms

64 bytes from 192.168.2.99: icmp_seq=2 ttl=255 time=1.3 ms

64 bytes from 192.168.2.99: icmp_seq=3 ttl=255 time=1.5 ms

64 bytes from 192.168.2.99: icmp_seq=4 ttl=255 time=0.9 ms

--- 192.168.2.99 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.9/1.2/1.5 ms

 

FortiGate2-Branch-SH #

HUB(BJ)状态

HUB IPsec VPN建立情况:

Monitor--->IPsec Monitor

HUB路由学习情况:

Monitor--->Routing Monitor

FortiGate1-HQ-BJ #  get router info routing-table all

S*      0.0.0.0/0 [10/0] via 100.1.1.254, port1

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.1/32 is directly connected, ADVPN

C       100.1.1.0/24 is directly connected, port1

C       192.168.0.0/24 is directly connected, port2

B       192.168.1.0/24 [200/0] via 10.10.10.2, ADVPN, 07:56:26

B       192.168.2.0/24 [200/0] via 10.10.10.3, ADVPN, 07:57:58

可以看出HUB端没有任何变化。变化主要在SPOKE端。

SPOKE1(SH)状态

SPOKE1 IPsec VPN建立情况(和HUB建立IPsec的同时,Spoke1和Soke2之间自动建立了一条IPsec VPN隧道):

Monitor--->IPsec Monitor

SPOKE1路由学习情况:

Monitor--->Routing Monitor

FortiGate2-Branch-SH # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 101.1.1.254, port1

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.2/32 is directly connected, ADVPN

                      is directly connected, ADVPN_0

C       10.10.10.3/32 is directly connected, ADVPN_0

C       101.1.1.0/24 is directly connected, port1

B       192.168.0.0/24 [200/0] via 10.10.10.1, ADVPN, 08:12:21

C       192.168.1.0/24 is directly connected, port2

B       192.168.2.0/24 [200/0] via 10.10.10.3, ADVPN_0, 00:10:11

S       192.168.91.0/24 [10/0] is directly connected, port1

注意IPsecVPN和路由都变化了!去往SPOKE2192.168.2.0/24网段BGP路由的下一跳还是10.10.10.3,但是此时由于动态建立了一条直连的IPsec VPN隧道,10.10.10.3变成了SPOKE2的直连路由,因此此时直连路由(C 10.10.10.3/32 is directly connected, ADVPN_0)优先于直连路由(C 10.10.10.0/24 is directly connected, ADVPN),因此去往SPOKE2的下一跳直接递归指向了ADVPN_0,也就是与SPOKE1SPOKE2之间建立起来的IPsec VPN隧道,如此就实现了SPOKE之间数据直接转发。

SPOKE2(GZ)状态

SPOKE2 IPsec VPN建立情况(和HUB建立IPsec的同时,Spoke1和Soke2之间自动建立了一条IPsec VPN隧道

Monitor--->IPsec Monitor


SPOKE2路由学习情况:

Monitor--->Routing Monitor

FortiGate3-Branch-GZ # get router info routing-table all

S*      0.0.0.0/0 [5/0] via 102.1.1.254, ppp0

C       10.10.10.0/24 is directly connected, ADVPN

C       10.10.10.2/32 is directly connected, ADVPN_0

C       10.10.10.3/32 is directly connected, ADVPN

                      is directly connected, ADVPN_0

C       102.1.1.1/32 is directly connected, ppp0

C       102.1.1.254/32 is directly connected, ppp0

B       192.168.0.0/24 [200/0] via 10.10.10.1, ADVPN, 08:21:01

B       192.168.1.0/24 [200/0] via 10.10.10.2, ADVPN_0, 00:16:00

C       192.168.2.0/24 is directly connected, port2

S       192.168.91.0/24 [10/0] via 102.1.1.254, ppp0

IPsec VPN和路由的变化与SPOKE1同理。此时的HUB-SPOKE/SPOKE-SPOKE相互之间的数据转发为FULL-MESH模式,如下图所示:

业务访问测试

ADVPN触发前,Spoke1访问Spoke2的数据实际上被转发到了HUB上,HUB感知到了是可以走ADVPN的数据流,ADVPN被触发发送IKE消息告知Spoke1IPsec连接Spoke2,让他们之间形成一条直连的IPsec隧道,然后相互的业务流量就直接走这条动态协商出来的隧道了,不再经过HUB

SPOKE1192.168.1.99)访问HUB192.168.0.99):

FortiGate2-Branch-SH # execute ping-options source  192.168.1.99
FortiGate2-Branch-SH # execute ping 192.168.0.99
PING 192.168.0.99 (192.168.0.99): 56 data bytes
64 bytes from 192.168.0.99: icmp_seq=0 ttl=255 time=1.2 ms
64 bytes from 192.168.0.99: icmp_seq=1 ttl=255 time=1.0 ms
64 bytes from 192.168.0.99: icmp_seq=2 ttl=255 time=0.9 ms
64 bytes from 192.168.0.99: icmp_seq=3 ttl=255 time=1.1 ms
64 bytes from 192.168.0.99: icmp_seq=4 ttl=255 time=1.0 ms
--- 192.168.0.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.9/1.0/1.2 ms
FortiGate2-Branch-SH # 

SPOKE1192.168.1.99)访问SPOKE2192.168.2.99):

FortiGate2-Branch-SH # execute ping-options source  192.168.1.99
FortiGate2-Branch-SH # execute ping 192.168.2.99
PING 192.168.2.99 (192.168.2.99): 56 data bytes
64 bytes from 192.168.2.99: icmp_seq=0 ttl=255 time=1.3 ms
64 bytes from 192.168.2.99: icmp_seq=1 ttl=255 time=1.2 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=255 time=1.1 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=255 time=1.4 ms
64 bytes from 192.168.2.99: icmp_seq=4 ttl=255 time=1.2 ms
--- 192.168.2.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.1/1.2/1.4 ms
FortiGate2-Branch-SH # 

FAQ:

1.  问:为何文档中没有提到最常用的OSPF路由协议,ADVPN中是否不支持OSPF

答:是,暂不支持OSPF和IS-IS。目前支持BGP和RIPv2/RIPng。并且支持PIM/Multicast。

因为IPsec Tunnel是点对点的隧道,OSPF的接口类型也固定为P2P,不能修改为广播,因此HUB侧无法使用OSPF进行多点间的路由连接,这也是不使用OSPF的原因。

2.  问:HUBSPOKE是否支持置于NAT设备后,是否支持NAT-T

答:支持,从FortiOS5.4Build  1001)开始就支持HUB/SPOKE置于NAT后面,建议外网的NAT设备最好使用“一对一NAT”尽量不要使用“目的NAT”,防止外网NAT设备有会话保持有些情况下可能引起IPsec协商异常。有NAT穿越的SPOKE会多进行一次NAT-T的协商,业务转发报文都将使用UDP4500进行封装。ADVPN触发的时候,如果是非NATSpokeNAT后的Spoke触发流量,HUB会发送IKE信息告诉非NATSpoke对方做了NAT,而向NAT后的Spoke发起IKE信息,让NAT后的Spoke发起向非NAT后的Spoke IPsec VPN连接,做了这样一个反转的操作,这样做的原因是ADVPN设计之初本不能支持SpokeNAT

注意:关于ADVPN Spoke处于NAT后的使用,还是有一些限制,目前只支持其中一个SPOKE处于NAT后。如果两个SPOKE同时都处于NAT后,这样ADVPN是不支持的,没办法触发两个Spoke之间发起IPsec连接,这样的情况下会通过HUB中转这两个Spoke之间的业务流量。HUB端是否处于NAT设备后面,则没有限制。FortiOS软件也在持续更新中,至于后续功能的可能变化还请大家关注OS版本的更新情况

有用的VPN排查命令:

FortiGate2-Branch-SH # diagnose ip address list
IP=101.1.1.1->101.1.1.1/255.255.255.0 index=3 devname=port1
IP=192.168.1.99->192.168.1.99/255.255.255.0 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=10.10.10.2->10.10.10.1/255.255.255.0 index=9 devname=ADVPN
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=10 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_fgfm
IP=10.10.10.2->10.10.10.3/255.255.255.255 index=25 devname=ADVPN_0

FortiGate2-Branch-SH # diagnose vpn ike gateway list

vd: root/0
name: ADVPN
version: 1
interface: port1 3
addr: 101.1.1.1:500 -> 100.1.1.1:500
virtual-interface-addr: 10.10.10.2 -> 10.10.10.1
created: 31562s ago
auto-discovery: 2 receiver
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 10/10/10 ms

  id/spi: 3 539d0069ad8cc52a/1e7a1db18c8b39dd
  direction: initiator
  status: established 31562-31562s ago = 10ms
  proposal: des-md5
  key: 18506b6ab0ab36da
  lifetime/rekey: 86400/54537
  DPD sent/recv: 00000933/00000000

vd: root/0
name: ADVPN_0
version: 1
interface: port1 3
addr: 101.1.1.1:500 -> 102.1.1.1:500
virtual-interface-addr: 10.10.10.2 -> 10.10.10.3
created: 2537s ago
auto-discovery: 2 receiver
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 4 8589cca736952cc9/ba045803d2875652
  direction: initiator
  status: established 2537-2537s ago = 10ms
  proposal: des-md5
  key: 56699c66ba96a4a7
  lifetime/rekey: 86400/83562
  DPD sent/recv: 00000000/00000000

FortiGate2-Branch-SH #
FortiGate2-Branch-SH # diagnose vpn tunnel  list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ADVPN_0 ver=1 serial=e 101.1.1.1:0->102.1.1.1:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options[00d0]=create_dev no-sysctl rgwy-chg
parent=ADVPN index=0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=1182 ad=r/2
stat: rxp=15 txp=15 rxb=2040 txb=1260
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=1a227 type=00 soft=0 mtu=1446 expire=40352/0B replaywin=2048
       seqno=10 esn=0 replaywin_lastseq=00000010 itn=0
  life: type=01 bytes=0/0 timeout=42898/43200
  dec: spi=6712fbe0 esp=des key=8 05046515c1b046ed
       ah=md5 key=16 8a66e0e5466fd14b6813fc7d0c393e20
  enc: spi=61a16d81 esp=des key=8 468a2bb58eed9e7d
       ah=md5 key=16 1dfdf96eb6bbddb906a411bcfd6afcab
  dec:pkts/bytes=15/1260, enc:pkts/bytes=15/2040
------------------------------------------------------
name=ADVPN ver=1 serial=1 101.1.1.1:0->100.1.1.1:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/16 options[0010]=create_dev
proxyid_num=1 child_num=1 refcnt=17 ilast=12 olast=3 ad=r/2
stat: rxp=1220 txp=4381 rxb=141832 txb=277803
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2355
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=1a227 type=00 soft=0 mtu=1446 expire=11325/0B replaywin=2048
       seqno=111e esn=0 replaywin_lastseq=000004c5 itn=0
  life: type=01 bytes=0/0 timeout=42898/43200
  dec: spi=6712fbdf esp=des key=8 7af503e2d670efa1
       ah=md5 key=16 0d95e92e285b308deb866834ffb47176
  enc: spi=40321e82 esp=des key=8 b5d372a5d10b7868
       ah=md5 key=16 1d15852bd8c733469c15a2dfae5b117d
  dec:pkts/bytes=1220/75397, enc:pkts/bytes=4381/521272

FortiGate2-Branch-SH #  get vpn ipsec tunnel summary
'ADVPN_0' 102.1.1.1:0  selectors(total,up): 1/1  rx(pkt,err): 15/0  tx(pkt,err): 15/3
'ADVPN' 100.1.1.1:0  selectors(total,up): 1/1  rx(pkt,err): 1220/0  tx(pkt,err): 4382/0

FortiGate2-Branch-SH # diagnose vpn ike status detailed

vd: root/0
name: ADVPN
version: 1
used-index: 0
connection: 2/5
IKE SA: created 2/5  established 2/5  times 0/6/10 ms
IPsec SA: created 2/7  established 2/7  times 0/5/10 ms

FortiGate2-Branch-SH # 

ADVPN配置特别说明(重要):

以上举例是基于:FortiOS 5.6.3/6.0及以后的版本。如果是FortiOS 5.4.x/5.6.0、5.6.1、5.6.2的版本,则配置上有所区别。

原因是新版本(FortiOS 5.6.3/6.0及以后的版本)更新了IPsec拨号VPN的工作逻辑:Technical Note: 'set net-device' new IPsec dialup logic

KB:https://kb.fortinet.com/kb/documentLink.do?externalID=FD41498

因此导致了ADVPN一些配置和工作逻辑的变化:Technical Note: Fortinet Auto Discovery VPN (ADVPN)

KB:https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD39360&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=111496222&stateId=1%200%20111494505%27)

关于旧版本(FortiOS5.4)的ADVPN的配置举例可以参考中文文档:

wen.fortinet.com.cn网站链接:使用ADVPN(Auto Discovery VPN)建立Full-Mesh方式的Hub_and_Spoke

support.fortinet.com.cn网站链接:使用ADVPN(Auto Discovery VPN)建立Full-Mesh方式的Hub_and_Spoke