fortigate advpn (auto discovery vpn) configuration in gns3

FortiGate ADVPN (Auto Discovery VPN) configuration in GNS3

by

Auto Discovery Virtual Private Network

ADVPN is an IKE and IPsec-based solution that enables direct connectivity between all sites by creating on-demand tunnels between spokes. It offers the benefits of a full-mesh topology while ensuring scalability with minimal configuration. With ADVPN, spoke-to-spoke traffic no longer has to pass through the hub. 

In this blog, we’ll guide you step by step to configure ADVPN on FortiGate firewalls within the GNS3 simulator. By the end, you’ll not only understand the process but also gain hands-on experience in setting up a dynamic, automated VPN.

I am using the following topology to explore and understand the concept and configuration. Refer to the diagram and accompanying details below to get familiar with the setup.

AVvXsEgZn2Rgad NOBXs Z KDFqHwg2xxKfBZrdotYpveOfmXPOC7RsSyksoEEx500latr Dc3 M9AY3PI7CzBBJIbGcQvS LsTonTciqBixLiLgPKNNvL NtBlRKZ8VDmaz72MwMZLAzo1cQ04Opsq46N4t 9fjG2gNKmz3OzidGrQC HPrG D2okcB57A 44gK=w640 H306

To set up the environment, I configured Port1 on all three FortiGate devices (1 Hub and 2 Spokes) as the DHCP-enabled interface connected to the internet via NAT0. For management purposes, I utilized Port2 with DHCP enabled to simplify connectivity and control.

On the LAN side, I created a Loopback interface for each device and assigned a unique IP address for the internal network. The detailed IP schema is as follows:

Hub Configuration:

  • WAN IP Address: 192.168.122.115
  • Tunnel IP: 172.16.1.1
  • LAN (Loopback0): 10.10.10.10

Spoke-1 Configuration:

  • WAN IP Address: 192.168.122.12
  • Tunnel IP: 172.16.1.2
  • LAN (Loopback0): 20.20.20.20

Spoke-2 Configuration:

  • WAN IP Address: 192.168.122.7
  • Tunnel IP: 172.16.1.3
  • LAN (Loopback0): 30.30.30.30

Let’s dive into the configuration! To make it easier to follow, I’ve broken the configuration steps into four key parts:

  1. VPN Configuration
  2. IP Address Configuration on the VPN Tunnel Interface
  3. Policy Configuration
  4. BGP Configuration

Step by Step Process – Let’s verify the WAN connectivity between SPOKE-1 and the HUB, as well as between SPOKE-1 and SPOKE-2, in both directions.

AVvXsEitZsXflGOLX0sDrr7985AzrgYL5tI9uwwqfmsb GcgZzEhT CBiHs0aQ1Q75rcCcUOd NMt4CUHb1HgZFfEg2QWPZdwdTnEHQ5LZ9pCGYEbRkCs3Rm0ozS HDjSTkt01PrbizBsZOTkv8ZWb2tQp8Mnb09UNDTjq3qN74rJ9T2uIEdAuIF3ehKxBX2I5g7=w640 H392

Great! With WAN reachability confirmed, let’s begin the VPN configuration. We’ll start at the HUB end, as it serves as the central device in this topology. Next, the SPOKE devices will establish the VPN connection with the HUB site.

1.1 Navigate to the VPN section and click on IPSec VPN. Currently, there are no existing policies. To create a new VPN, click on Create New and select the IPSec Tunnel.

AVvXsEhMbvw6VhNyRScwL3hINOr9ottVUjv CBdviZksEkIcJK6jsbUGNN5o3nAPCjX2oyvZ7Nx4rmtUBg9kqrS RseXdbX BEcJFFOA O Cnb0q0LuDZfNocDKvNeZYmwb1raGHG0FYQ2jT9P5mZRoGICLVa1yQ4fDQxtYoPFPeJvsEQZdloKMHY9apFdidrcly=w640 H276

1.2 Select Template Type as Custom, give your VPN a name, and click Next. Alternatively, you can also create the VPN using the Hub-and-Spoke Template.

AVvXsEgeg5z6yGU6J C9dwjWne59rdzaWkoFhunr8550KMIXjPjYpgNSCrgnEhzW9MCWTnVW9BA0hR16aciD5fGfwglGkFHslycu6LQ3orixWMb2TOSqyoxF1MjndmBTvp2Ae5A6teFlvpwDmfIKwIXfD2fzt25kh9oHFtSsN9J2bKaTVL5lEAIizZUvJWkMP6xy=w640 H198

1.3 In the Network section, configure the settings as shown in the screenshot below. Keep the following points in mind:

  • Set Remote Gateway to Dialup User.
  • Choose the WAN interface for the Interface.
  • In the Advanced section, ensure that Auto Discovery Sender is enabled.
AVvXsEj5vPgMC1KOLadhKqrTFGillLwKxksrGXjXdX40n43ucPIZgTA2RXXOrx4CGEMy3Va9Aa7mrb3Mu JiyJBqmi8J9qPw4M5mPGa9OF47ruFFtuGbtDTdMm7cheZrWjBxUHzjnLoBc0zRHBwBK7Yf W0jH8ni0 DiV Qi9Rtws03t59J0sxrJV4zsanp OXoJ=w640 H472


1.4 In the Authentication section, assign a password and make sure to note it, as the same password will be used for the Spoke sites. Select IKE Version 2 and configure the Phase 1 IPSec Proposal and Phase 2 Parameters as shown in the screenshot below. Ensure that all parameters match the Spoke site configuration, so be sure to remember them.

Click the OK button once all selections are made according to the requirements.

AVvXsEjZvOCPe7mGfgzQdMXYiu VsIc54urKQIFnjb5GBcJIuvmoZGbIk85kudISVoFnBorv2TGttjk8KVOenEqd28YM0jg 4o6ub5SrUeacQmMq1 WyQi26oUAQriqINt L Zcas3b3weZD4UKY Fv7Ln6akBZEbg9i9J7zYkPPYXfVS1REFBLySV1i ToBH1Rm=w640 H370

AVvXsEiwYlsCoDOTG15As8LW7TNIHJACQRQ8dFry7MeAdc UjYRZ6Dx9VIut2 EzBpXwRZns7tg0lDdNcg4ZGKGHzDw1jZS DjVMp7gXVTD87prReIXOCepa6 E32LhABs9UNb42XunyAZrW9PZDpbr5Gw4gZWitUUWP2 OFaUBXMQtD1elPSxcMOhXvADrq5avW=w640 H436

With the first configuration part complete, let’s move on to the second part: configuring the IP address on the tunnel interface.

2. After creating the VPN, the tunnel interface is automatically generated under Physical Port1, but it will have a default IP address.

AVvXsEhLIieuWiFcvzmIHFHCa HE Vt17IEskP6aX0Y1xgjulismdpaunddQhDemX1A7fsCUqkoCgoQPPXjxipw9mVND94FA4dU4pAyRNbPr5a IjFOyQViFAj 4XbD3w5PCamGHG6xp4uXikrJgFJfJyJLT92Bhltb0FcDcI8heFZL6rRRb5NndrZO AM3Y1Nc2=w640 H324


Double-click on the tunnel interface and assign the IP address based on the IP address schema mentioned earlier. and click on OK button.

Enable PING under Administrative Access and click the OK button.

AVvXsEhAMnBOejcWb IKT52MpyByk9ukZ3mUdxg19vu3gRpGTaKg9jX0ZkwNv74sP5oXOJ0PB1SRzBhAZJdBexNorNRCLzmtGPB80GZmxZvAYNdT1KQmiotnH3 Hc5DOwJBjxdIqGv9q4b L6nDLMuvawworT St5B6MkvWY8Bs5sORV1kSqjthRWdLS2QWsVpfT=w640 H404

3. Now it’s time to create the firewall policies. We’ll set up three policies for this configuration:
3.1 Tunnel (Overlay) to LAN (Loopback interface)3.2 LAN to Tunnel (Overlay)3.2 Spoke-to-Spoke Policy (Overlay Tunnel to Overlay Tunnel)

AVvXsEg0qfJkJrji7vOBBNhpZiFGjjPZ ZaWoIGbdsosnBOpYvW8lj7GvfvMZD8YxWkjVY5lCha31Adm84eAHeaxZp30Oiae2YUce0kQCbkvsVCShQAEGV9C00l8w FFnlb8RRL8cgqzDbWV4sRTAEEQvOH9 KDA5PdttWOm5ljUwGLgD1Hc2HzPFKji HNgOCaV=w640 H274


Overlay (Spoke) Tunnel to Lan Policy – 

AVvXsEgndLw8vQnZnN XKJmDtjKCjQqJE Hj34PN7cLclaJTF6Xmq2cLOz0QljiLKyAs6mt0vif6p6wp8kNEOq3yhbV4oCXSo 3OU0ms386EenKvoKs6g2bw84Vk 9IJ5HTNDPqweTs5UJL7h6dATI GcOwQ1QDVsejhKUS9DGfCTFxksp4zVgcSTAKwNsmlWmI=w640 H474

LAN To Overlay(Spoke) Tunnel Policy – 

AVvXsEiWQnqBfO0jzszki2PdapQoggdb60mhoRwYXvps3LBGE4m2yzgnvwVGy2 YxzWCrnqtitOw7sVcye0e28I1SwK0kqKYlM4mAoMncr4LcApCoueSKZZ1Y6HKy2UyYatzfevC9V3Yw8v2yvaNaRjpaykdZg7htmXHsy2nK9 Fd5BtDnAGkURie4QUALY2hE3C=w640 H478

Spoke To Spoke Policy – 

AVvXsEgSqkP4Cc6nBETtqLfaoV9TFXU 9uJmSF2WOUlVBO2I2LgDs9Qz1ZlLPwTgPq2c RbGojbGg3SgyCi Me HvMny PEqeUR3QQcRZK78koDOjRDkDb9ZJhxGN9gbn1Ki Py6SwvnrBeS7qwchre JnD2jSL VYEjvgXo8y25Aw 9beWue3EWaJ327EwUTKwc=w640 H476

4. With the policy configuration complete, the next step is to establish the BGP session with the Spokes.

On the Hub side, we’ll create a BGP neighborship group to simplify the setup. By adding the BGP neighbor IPs and their corresponding remote AS numbers to this group, we avoid the need to configure each Spoke individually.

The BGP sessions will be established using the tunnel IPs, which will become reachable once the Spoke configuration is complete.

Steps:

  1. Navigate to the Network section in the left pane and click on BGP. Assign the Local AS Number as 65511 and set a Router ID (I’ve configured it as 1.1.1.1).
  2. Next, click on Neighbor Group, create a group, and assign the Neighbor AS Number. Since we’re setting up iBGP, the local and remote AS numbers will be the same.
AVvXsEgjjEz3nx PZagE7nr5wbNTh9AZNUxv6Z2iKwTR306hRbw1NsNJSsmkQbWbLvJ7YZGt9pZ3szf NORHg2ISLl3ICURRXqVZeKcHbVDEh23JZSUbM66tNEYAuLQH6K8dodsTOxMuIyhwtWI RqvveVRTbseSiwXhZkndt1 VEY7PHCy8qJlo WQmSPmBR19q=w640 H212

4.3 Next, click on Neighbor Ranges and select Create New. In the new window, add the BGP neighbor IP range. In this setup, we are establishing BGP neighborship using the tunnel IPs.

AVvXsEhvOcDp1CFdHxBQ CwBaeAKVf I4AQI2PXeL20sdU162Q2lFOvWJ NjbResUZ6ys E06zj5LDkfaenIG7nAjOnridegY7MBuh9x58 LEmCJo8aVn0DsPSX2762 0CDmkADaP3reLXG LMmS6lX3UZRK3Rwx586sYSXJNBjcHRyFg SG8KBsNFF94hBp IQ=w640 H166


After that Double click on Neighbor ranges group which ic created now and enable the route reflector and other parameters as per below snap – 

AVvXsEhEhcjVsPb9F98cdCpYwDDAP8XWlwqetpgfDOVgw2COv2ylY575 Bb GHkosaMKVokCSJADi09EDCFM9R8VsKb2ddNkzpTKCuK3LOxD2oXoOZQaG P OtoE4Wa3YzIyqibfuNjyubI2UmbJFSvgtBJSerWhUXn NCUV2TH QuBM8RWmGGhzgPRVpVR4diK=w640 H312

4.4 In the Networks tab, add the prefixes to be advertised through the BGP protocol. Here, we will advertise the LAN (Loopback) network. Once done, click the Apply button to save the configuration.

AVvXsEgnvyaIMRa830 IWkvamMsySDtE8z2M8M1 CpZ5BZeOOI9MO7M6NAjuFbkRA60msLUxhJAOwilz3 GdDNSNi MFKY2Qhaw0HodPMP3k CCaUuW6kM2BnYKoC52rZRuw3 YCV RBg0Wh5upJFIcVeenVWWR9aD0VgF Z3e DstH825KZ39l ALgYWF5eJbPH=w640 H476

The configuration on the Hub side is now complete.

==============================================================

Spoke-1 Configuration  – 

We will now proceed to complete the Spoke configuration by following the same steps as outlined earlier.

let’s verify WAN reachability using the WAN IPs. The ping test confirms successful connectivity!

AVvXsEi0I0vOM6cDofhLtPmuFRZYvaXvvIbgcX88Om0xDn 5CzJLZK5jM3EUL7EVXUVnua1NKeo69JPBT4FBQQSCivs LV2w8RBFoz1NGaj0wtfJPlUDHiHpPuCzhEwj0qp7AMA8mCMT2sUjpD1873MVUiByhao3TaQ7eWLWN683qdITsD8cDVB8wNbHClXeK1A9=w640 H424

1. VPN Configuration – 

AVvXsEgKl4XJLdDFASGYWA2zbadSB0qf0dA6Y 8qolxUObCdxQdhDn6Ovm37sR2QQ0UCJ7R1uoseFQAdHjuY5UL3cV LbkgIAFSEnr1AJnmxmtiNX4EwKLVuNm 1ft95P8mzkfFZ0zk79PQao7tp96mAHbxZfc3ts0WEi8nQ5zMpRQgWYABvgwmTA7F7cFUg6i5v=w640 H222

Ensure the IP address is set to the WAN IP of the Hub site. Additionally, don’t forget to enable Auto-Discovery Receiver and Device Creation.

AVvXsEi1tP707Vev 8YfFspsVDYkx33ptosoZsm7kyW3C5eqZOoWWx6uk RGiw2utKj7O KLR414xS69THK9H0Pkgl3xIMws2523UGg4t2VN8ztl27pmQsMvzu3aQkAjDMG2YcdJbaKrjESnkLpbPWm3L58kMtqfcgtDZ3K95 WeCFC2W2 59O2s4ek1xKhfGMUV=w640 H476

Phase-1 Proposal- 

AVvXsEhJtkaB0YRbRzdrF3pcvirNUOGIgrjbBqQyz7Q1JVPrkIXqa7NNWSbkUDxDSQ4Br8kfmm RAssDZ9ZU1XMZL9UUcv024LPZ4nk7BNTmOGVNkuTG5Nbd9rqSI976PUKV7AIGNkw 04wwiDSX 3GYYOX0Y LwZIE9qwh2qckesWmVtgF0kwQMPYH7DKSeX JD=w640 H308


Phase2 Parameters – Remember to enable the Auto Negotiate option. Once all the settings are configured as shown in the snapshot below, click the OK button to apply them.

AVvXsEiZmBiRbBNaKOcTlKwgajLO3 InVGd6Opz9AgBojvxVA ObVCgJW02LmpJhcUm9Nqi4l8NkuzSfIBEU IsctgK9gAciXCPZwZxeYwve5Y0WyTkWXDMQQfSZ3T5b95mN7gP3dmXlRlQiawXJZpDOcWpfQm6wKPZOHkJmIEhoPCIJz UdO4 EI4qBaB7RE60C=w640 H468

2. The tunnel interface is automatically created after configuring the VPN.

AVvXsEjt2zFaLrmFwQIp14vqo Bla2zwRYEB4qj6gUBAoHExAW4hd V4YsrZ3GfyKiZAxdeBCEhXSFmaEz8RuBM1SuEWp8KbWUJu 4jT8le4ZUI6uoz4B NLnby51E5egH73nG290kXcKA8ccIN1DtUT3izntLOUSWJ7xbWwZ08DINObxacozbhvmEKHuoiEM8ws=w640 H298

Double-click on it to assign the IP address.

AVvXsEgiw5X3GWTY4hJLmZ4t9sPZU3aX38K9dioAPsUVpZh9yK0AsQdJ4JXDbHBoQEg1FlffkohKbeQFnZiERJxLSXItEHtPaq62JJXGM5c4A0kxLUCRYRKHVSxEqMtsTezamubnFLIlMpKJQhaIFwPZAbD0Z 8qJonClrsd0qz5GBSHaZ3XWgWPm9G6Wmi2jQ30=w640 H458

3. Let’s configure the policy for LAN to Hub (Overlay) and Hub to LAN traffic.

LAN to HUB(Overlay) – 

AVvXsEhgyoeTIH0tU2ZkI3TMCBvXXY7O UunChQY20y BQZ33Irhh6W7DiETDLC5sJsH4 6y0iw7ReLdjpwE3 JzaPHFC8vObdQDXSlmpbFoGpmGs9CQMD9JPNjRRu0Ey6QWH8YdiDFIZY8H35MnalzqcSOiKfr9oGlE 1Po3oSCkMomnz2u5ymS FyvcwN8uBK0=w640 H478

Overlay to LAN Policy – 

AVvXsEgH9FQv4pVHahEgM Cupph Z1PdosWuKblIkM9ksKauDLWoedLPpPVbu0urPgs Fx9kks5ZJu0yZ8kZxE7g8H58R0vlzZfHBSTker7ItQEyXfhmYJ6WTqYnqnBMJUbj6nzrbg2E1ttEa8R4zP8 1K2jutf C LYLe92DkFHHoToL JetlqGKwq3hU7BK=w640 H478

After creating the policy, the VPN tunnel status shows as UP.

AVvXsEhvcwaJWxt OMDHhANe2Y2MDjvpLppM3LLSz5RYysBi7NMZR1HUBjnGCizcvgiG BdMx6ub8uPVvoXoqqvh7fveVt31FD XNDwoP5LhNODHIkM5PqrniSdhIyyYCdxLlRUDSPY8Z4JRLRd6clK0q2ts9Jrk3xo JwW452PMSgSnCXxLK84nMxVN7KXjdq6f=w640 H132

4. Lets configure the BGP now – 

AVvXsEgcPUYsgLcsgGXeDc87RDMG QdFyyEVTAp0gkrR0ER8WwgaSkOpsxeIGDeutj IExeSV6 HoSxjzLq6zTtqAbXRBYpZ XIeaBCEmLjQP63Dfm5SyrzWJ3R5S14gBLYV NVfM6lu1O5MR KObFc6jYOU6DYEZHyusnl37Umsy2NVx1vdeTgZPDm 2p2eKrC2=w640 H300

Advertise the local network in BGP and click the Apply button to save the changes.

AVvXsEjQ57MeUEXyhkfoZnZnfBO4kGsdkHbQ0cjvj1aQQZV1sIDdH NM4BoipIi8d5fb3zBCE6nQd0QNvISQKbHHJ8lMEf9U2gROsNtOlQS57WrJyc94tT5W3NVV8kRcxYAFYQ82RmEHZ8wc3xObqNZbf6bfaJJRCoVIyJu2GzTF1jN1TN6vO7Y Q1IbwTrailra=w640 H472

Wow, that’s great! The Spoke-1 configuration is now complete.

Next, let’s verify the reachability between the Spoke-1 tunnel and the Hub tunnel, as well as the BGP status.

HUB to SPOKE-1 reachability and BGP status – 

AVvXsEjT1koCUxG8IDwW NaTn3uGMrDVtemQy4kONiA 7xCm5WDxyAi9TuBntzPUhJwMpvOloRj3YSxan9hHKmXoGtPOXTiQoYVe0wpVFGnF8a1LJO0IBC6GH9BT1YPt3vVhHh54lfBOflp88KvNiaRdIr 1q7AqmvTTQdIAM8n2Z TY4uk6OrgwX2xyzwt0 Adp=w640 H402


SPOKE-1 to HUB Reachability and BGP status – 

AVvXsEh3V2WHTsYdgaq50MDtWW3naBWBmI68SLCdfQ7dIDNCl6JZjNW KMIDupDQiq0 HJPYsblfjsg8XQnEZntFyOvUER LXSY0LVYzFX90idN6qP0PA15IasWlJPclo0i9Fs U7tx6oSHqBs4USZdYFHCMEqT6Yoti6j7FUV F1DZNNfQv Eo76vNsGldtHPzP=w640 H410

==============================================================

Now, let’s configure SPOKE-2 following the same steps as SPOKE-1. The only difference will be the change in the IP address.

Here are some snapshots from the SPOKE-2 configuration:
1. VPN Configuration – 

AVvXsEjniwNBxA6whDh7HeGxm5NxGRG6aBjJJP54g05c0ya30Pnupu17adAmo6XrzGznZERyEVFB98CXqs3ViR7 Hz2N970ofRxaOMoa N6Yl6c0g5LjjIh9qMC8r2zNiaKn2KLFw15helMzKFhYMjKDX3H7nY1oWj8tGB3yvxOIe6DyQwBNB6av2jcd39rV IDi=w640 H494

AVvXsEheIG TbCajgmsPf6Sga4MkX4EWeHaVdg EMqRsXSXFYQBQdwnCFFeoj0 CQZaZqVJ LZMshoDM93lo7s GNbEMvcjowpRyMqzr Yp97w4Ea1ycmmt3jsPYrqsF HKoMR3cmXhYMac8xuzhuZWGWQPxJw 8wRm MDERCu1vn7f1yFvxejte8rHx WypnVpQ=w640 H286

AVvXsEhsodu4WHXLXLLkrF37GZ72lgGiTKEAbgRXjzU48DC6ZvnKtRtjtuBSrPq4x443led805gp1RMecEd9T7i16Gn3iZxSodrLCt3 M72J5slHW5OFJSt4IUNxOO6VjMPb5ofuTp4pAw 1my8qHHFddhkklsDavccodT3Vgp CV4W5fSc9W2NLp2RdeLwxi4Rp=w640 H476

2. IP address configuration on Tunnel Interface – 

AVvXsEg OSX0J436G7YxYbs3jS1Csjfa UxwKJPza0ia36LVpK44GMyfOOa2d9tHEEeerXTiask6aFse0mje40K7kkeWQatZpB4XgPFjBg50WTnsu4ubRdSoN8HSGXyX9EfAU3KkOwh2ghk2 AG11W6yA3DccB6T RsNKrINvcQun7Wecvbq6lgKgzXvwD Wvj8U=w640 H468

3. Policy Configuration – 

AVvXsEitu0SHBjXKAOrKLvE5UzqyLDGUjOFmTS4tFLxPz9ujxX4bGkUgvZw3TKZCrK4BLDqixT4QlmmjL22emSynQnDPMDvK1J1HSFAqVw2eM4hW Qs0xHOuxIN4xIA12FosNoWdo7RHS6tOibBgMRfGXWnzs4GHqle8i7zm VLtncgNoYGMEruAskeQdDqlBKcP=w640 H485

AVvXsEjVUh3rBcYtOTS Z6sWNT Sa0MRSfWGskfUl3Ax0s1EhxMtU9vdKCFPuW 4K2oVkJIVSg5N5nI1jZaSfd8dCUqGf23OK2ruGkzxfQDehG6sUXGOrW9 RNwmFbM6BAdRTHXQMrZ29PDwyRK3BzFLVI YHb6wEHgkmWDBmPKUGLF93hJxZpAGTB19AWhaqv G=w640 H478

As you can see, the tunnel is now showing as UP.

AVvXsEjpSDgAIKck3Ka GHYi6961Psmy14POMOQkYViIPhEfuGquc Lr8oOcnwN24VqkGwuG7Y2hZRJnKUKwSoGYimFb8tUG6PuLTn1TUkPWodf1YY VoIzQHgrYx 8AqqtclCJi9HIdaPBtFiVJScV5lFc TAQPi4lce6j Mo0GeGdjrgUKrRs TKfsdAcMlICY=w640 H130

That’s great! You’re now able to reach the HUB tunnel IP from SPOKE-2.

AVvXsEjVv2u1J546T1jKwqMDkWXpEYzrw89KT6XItkD6jx4RasBO3ufkAyfZiuTeJOxJZTyZaLhpjPuEtcZ J8je67apgDSJRoQpXObo5eZF8vx9dFykCopb7Ug6e79HPRyj1J3K0biarNXWlEzkDu8d2SMdzqNV4BnROSq IORiQRM3XBjwuzujmXtQ4xEojXjx=w619 H640

4. Lets configure the BGP  – 

AVvXsEhvJ1EDOUolFpbVjSQpRDBGg H1G ZXCUeQL4RrK7AajPorynttVnoQ7ml75wSwRnkKJ16qcxVaSY JdTw1IZchGq2c IL2p6bz5cEDR4dqJaKjaXWCVh 5PG7D4cZ HKvFnxeq3JMM2Q6qTLe0809waRl3xy9MxL YnpfJc92eB PT9noH92yy8hsI6Cjx=w640 H306

AVvXsEiun T3e54neHVOixGUR4w00zXKU1BLUwSZZJmoSEfS HKkXHiHHN1JEnJN9vGFn AT4dx7xbp6C5PfywPWBUgI2UooR CmZlOn6wkoPgjcI0DObw7jnIdCkihS 9 SHkSfqThqx4PtZotKgAXlPB4TiO EWBWYcEKFt VOqPg5XbrBrrRhcNzguXEe7R4 =w640 H466

That’s excellent! The BGP neighborship has successfully come up as well.

AVvXsEgGpgHXZ5aLnndakPjjN8kDSoPLzsR94nV0P0PB G6Erl4MlQ0OFCG SYFlt1kB6p8iOYBcXpeQ7GRSGKr7d 0YjheHOnEqGs6nIouVZbkgAQN6SDG4yoaNtJkDmbZmYTdOsX5kLyNALNMx5jlLyGbmHBsVHmbsW4VEVW A7qP8MY6 ZUo9ee BPv0nX1 4=w640 H290

Now that the SPOKE-2 configuration is complete, let’s verify if SPOKE-1 is reachable from SPOKE-2.

AVvXsEjPMxJAcOHmJ7gPZvn2DxAvVbin5q4J IDVyigIfLIoNg3ghZVUrYsIxGgrUHxMkspS78wvT3LYeI04b6 DGHXJBaRk4ArEVbXCZxaiCnJ JgKsI5owAlWSeHRZmvg5Ubg5vBrRnCPhY7AqUlk7OaHleP6DrqXE6LTbIdJyTGeRNVYNkJqHQ72C WWOyl =w640 H591

Exactly! The dynamic tunnel between SPOKE-1 and SPOKE-2 is established, and now both LAN networks are reachable from each other. Great job!

Let’s check the status from the SPOKE-1 site to confirm the tunnel and connectivity.

AVvXsEi1VIRqTVJGilQghnXr1 ZCsmhH4OaTqPbpK3HuQPdkEQau83j5sALqotbJEJhBnoLuLiRxfXMd8NjugAdS1XRFiAO8MF6cuTISmlBfyAjn7EusGlKmpy58a2TUqIXHqhl40OkxtATat1caCx MRnUia71RIjqt1ebXvFiTRodIUr6fRBa3GlClHc1ZDdsF=w640 H602

That’s fantastic! From the SPOKE-1 site, you can successfully ping the SPOKE-2 LAN, confirming that the setup is working as expected.

AVvXsEhO9YZTRcy5J46aLJx T3OlZOdJTEO12Jca1zfzSA ZMf KhdVWB1lYxvEwlNw6JN A3u13upgGI K2H2VvE9mYjAE6WaIAs7i9KXjjSB Ab21144leKZsfV Y7JBJNDo5ATZ4VjtkxqVXaLG5lTJBu4qY2cNewPxEOCBipid52 MCuxuBMWyoXv2QDvlEQ=w640 H344

AVvXsEjRINqx1MiNtq6bbOJsx08htFgOebNRDFKmhdhSeoPomzeEembYt9YmtVJ0zSHRTAY73A4PI0tv3pSEmrFITGg SIwG3vdFja8y4U6OrxwBb9QgbmnG0riumlzq1MqgWay2YBNqo7JJ7ywQ6ZRtvlZ5z7NRG GcNQL OKNeAl6553E5p9kmAedMf5jiDewQ=w640 H342

At the HUB end, the VPN section shows that two dial-up VPNs are UP, indicating that both SPOKE-1 and SPOKE-2 are successfully connected.

AVvXsEh4jMpY5n05kIJOGMiagIzGvpMrmKpW8e9qCPT9AlSXgJHpCnaKMwTIJ8BllQBFaltFqzuQDocL4hWgidXIc6cobrrc1atkXRph1 JCNYFrG0iz7FDktqvW6xbkHMK Z8423 MNOix BX3WNc4 QgzvJ AnuxjhRX1sGDbEh0OQsB1oxB0c 8LoqwFXL4X7=w640 H168

In conclusion, we have successfully configured and verified the connectivity between SPOKE-1, SPOKE-2, and the HUB using dynamic VPN tunnels. The BGP neighborships are stable, and both LAN networks are reachable, demonstrating the effectiveness of the configuration.

Thank You !!!

Leave a Comment