Auto Discovery VPN using Border Gateway Protocol on Fortigate
Background
Last updated date: 08-Aug-24.
This article was written on 06-Aug-24.
I have to replace an ancient Cisco ASA 5501 with Fortigate (which is also ancient :) ) but at least I have redundant device for that.
And for some sites, I have redundant WAN lines.
So how to make a VPN connection with automatic fail over?
Fortigate Auto Discovery (AD) VPN with Border Gateway Protocol (BGP) comes as one option.
(but actually I do not know other options :) )
Precautions
Always backup your config before making changes to your Fortigate.
Prerequisites
You need to have at least two Fortigate devices with multiple WAN.
Configuration
The reference above is excellent to configure ADVPN with BGP, but the diagram lacks some IP addresses, so here it goes:
Also, what the reference did not tell you is that BGP will automatically create routing using distance of 200.
As I was migrating from Cisco ASA, I had some static routes already (with distance less than 200). So no matter what I did, my static routes always take precedence over BGP routing.
Assuming you still want to use your existing VPN connection, then what you can do is to edit existing static routes and give them distance larger than 200. For example:
You still need your static route to internet — which distance is automatically set as 1.
Then you need to wait for up to 2 minutes before BGP creates your routing, after which you can see it in “routing monitor”.
This “routing monitor” is not shown on the main menu, but instead, you can open it from BGP page.
Once you see these BGP routing, you can check using route lookup function.
Spoke with only one WAN
In case you have a VPN spoke with only one WAN connection (instead of multiple WAN), then you need to remove the BGP configuration line of:
set link-down-failover enable
So example of BGP routing config becomes like below for one WAN:
Please note that I am using “10.10.0.x” for my VPN network instead of the reference example “10.0.0.x”.
VPN Policies
Network traffic will flow between VPN hub and spoke and between spoked.
So where should we define the policies?
I try to follow the “do it right at first” idiom, so I define my VPN policies at the originating end and use “All” for receiving end.
Of course you can also define your policies at the receiving end, but for me it will add complication during review/testing.
And for you who has multiple WAN, of course we do not want to create multiple similar policies for each VPN connection.
What I did is to create VPN policy for one of the VPN, and then edit it in CLI.
This is because at least for version 7.4.4, we cannot create policies with multiple sources or destinations.
As in the reference, you need to edit and add the other VPN interface, for example:
Alright, that is my two bit of experience for configuring ADVPN with BGP on Fortigate. Happy networking!
