Network ID with ADVPN

Use case of Network -Ids with ADVPN shortcut tunnels

This article will describe the use of Network-IDs to established multiple ADVPN Shortcut tunnels between same underlay IPs on spokes

Requirements :

Cli only
IKEv2
Fortinet proprietary attribute

Without network-id not more than one overlay tunnel can be established with the same pair of underlay IP addresses

FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B
FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B<----not possible

With network-id multiple overlay tunnels over the same pair of underlay IP addresses are possible

FGT-A(192.0.2.1)----------Ipsec1-------(203.0.113.2)FGT-B
FGT-A(192.0.2.1)----------Ipsec2-------(203.0.113.2)FGT-B<---- possible

Use case of Network_IDs:

With Advpn we can leverage the Network-ids to configure multiple shortcut tunnels on the Branches those only have single ISPs

Branch1(port1:x.x.x.x)---Advpn1---(port:y.y.y.y) Branch2
Branch1(port1:x.x.x.x)---Advpn2---(port:y.y.y.y) Branch2

Example

1) Branch1 and Branch2 have a single Internet access and Hub has two Internet accesses (ISPs)
2) Two overlay tunnels are built between each Branch and the Hub Advpn1 and Advpn2

3) Initially traffic from the Branch1 to Branch2 will pass via Branch1 -----Advpn1----->HUB-------Advpn1----->Branch2
4) The Hub will facilities a shortcut tunnel negotiation between Branch1 and Branch2 over Advpn1
• A shortcut tunnel over Advpn1 is established between Branch1 and Branch2.
• Branch(port1)====Shortcut_advpn1====(port1)Branch2 and traffic from the Branch1 will traverse over the Shortcut _Advpn1

NOV Page 1
5) If ISP-1 on the HUB goes down

• The Parent tunnel between Hub(ISP-1) and Branch1 will go down and same will happen between Hub(ISP -1) and Branch2
• However the Shortcut tunnel Branch1(port1)====Shortcut_advpn1====(port1)Branch2 will stay up as the lifetime of an ADVPN sh ortcut is independent from the lifetime of its
original parent tunnel
• Branch1↔Hub and Branch2↔Hub BGP peering over advpn1 go down

6) Routing between B1 and B2 converge over advpn2 via the Hub

• Traffic from B1 to B2 flows through the Hub since there is no shortcut yet between B1 and B2 over advpn2

Hub will try to facilitates a shortcut tunnel between Branch1(port1)---Advpn2---(port1) Branch2 over advpn2. Tunnel will be get

If Network-id is configured :

• shortcut over advpn2 is established between Branch1 and Branch2

• shortcut for advpn2 and advpn1 are both established over the same underlay IP addresses Branch1/port1 ↔ Branch2/port1.
• These two “overlapping” shortcuts can be simultaneously established because different network -id are configured for each overlay tunnel.
• After routing has converged, traffic flows through the advpn2 shortcut

Branch1(port1:x.x.x.x)---Shortcut_advpn1---(port:y.y.y.y) Branch2
Branch1(port1:x.x.x.x)---Shortcut_advpn2---(port:y.y.y.y) Branch2

If Network-id is not configured :

• Shortcut-offer over advpn2 is ignored by Branch1 and Branch2 because there already exists a shortcut (advpn1) over the same underlay IP addresses Branch1/port1 ↔
Branch2/port1

Two “overlapping” shortcuts cannot be simultaneously established without configuring different network -id for each overlay tunnel

• As long as advpn1 shortcut is up, if Branch1 send any traffic to Branch2 over Advpn2 it will go via hub as no shortcut tunne ls between both Branches will get established over
advpn2

NOV Page 2
•
advpn2

Notes :

As ike1 does not support Network_IDs this option , Shortcut tunnels dependency can be enable so that once the parent tunnel goes down it will bring the tunnnel tunnel down as
well.

NOV Page 3