Scribd
Upload
5 views12 pages

48 Advpn Lab

The document outlines the configuration steps for an ADVPN setup involving a hub and two spokes, detailing the necessary settings for firewalls at each location. It includes configurations for VPN phases, tunnel interfaces, BGP settings, and firewall policies to enable communication between the hub and spokes. Key parameters such as IP addresses, IKE version, pre-shared keys, and routing policies are specified for successful implementation.

Uploaded by

mohamed slama
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views12 pages

48 Advpn Lab

The document outlines the configuration steps for an ADVPN setup involving a hub and two spokes, detailing the necessary settings for firewalls at each location. It includes configurations for VPN phases, tunnel interfaces, BGP settings, and firewall policies to enable communication between the hub and spokes. Key parameters such as IP addresses, IKE version, pre-shared keys, and routing policies are specified for successful implementation.

Uploaded by

mohamed slama
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

ADVPN CLI Lab:

HUB Firewall HQ-FW


Spoke-1 Firewall DC-FW
Spoke-2 Firewall BR-FW
HUB Tunnel Interface IP Address [Link]
Spoke-1 Tunnel Interface IP Address [Link]
Spoke-2 Tunnel Interface IP Address [Link]
HUB Public IP Address [Link]
IKE Version Version 2
Pre-Shared Key test123
Phase 1 and Phase 2 Name advpn
VPN Proposal DES and MD5
VPN Tunnel Interface Name advpn
BGP AS 65000
BGP Flavor IBGP
Topology HUB and Spoke
Spoke Communication Spoke to Spoke Shortcut

Hub:
set exchange-interface-ip enable Replace with set auto-discovery-sender enable
SPOKES:
set exchange-interface-ip enable Replace with set auto-discovery-receiver enable

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


HUB HQ-FW Default Route
HQ-FW # config router static
HQ-FW (static) # edit 1
HQ-FW (1) # set gateway [Link]
HQ-FW (1) #set device port1
HQ-FW (1) # next
HQ-FW (static) #end

Hub HQ-FW Phase 1 Configuration


HQ-FW # config vpn ipsec phase1-interface
HQ-FW (phase1-interface) # edit advpn
HQ-FW (advpn) # set ike-version 2
HQ-FW (advpn) # set proposal des-md5
HQ-FW (advpn) # set dhgrp 5
HQ-FW (advpn) # set authmethod psk
HQ-FW (advpn) # set psksecret test123
HQ-FW (advpn) # set nattraversal disable
HQ-FW (advpn) # set keylife 86400
HQ-FW (advpn) # set dpd on-demand
HQ-FW (advpn) # set dpd-retrycount 3
HQ-FW (advpn) # set dpd-retryinterval 20
HQ-FW (advpn) # set interface port1
HQ-FW (advpn) # set type dynamic
HQ-FW (advpn) # set peertype any
HQ-FW (advpn) # set net-device disable
HQ-FW (advpn) # set add-route disable
HQ-FW (advpn) # set exchange-interface-ip disable
HQ-FW (advpn) # set auto-discovery-sender enable
HQ-FW (advpn) # next
HQ-FW (phase1-interface) # end

Hub HQ-FW Phase 2 Configuration


HQ-FW # config vpn ipsec phase2-interface
HQ-FW (phase2-interface) # edit advpn
HQ-FW (advpn) # set encapsulation tunnel-mode
HQ-FW (advpn) # set proposal des-md5
HQ-FW (advpn) # set pfs disable
HQ-FW (advpn) # set keylife-type seconds
HQ-FW (advpn) # set keylifeseconds 43200
HQ-FW (advpn) # set keepalive disable
HQ-FW (advpn) # set phase1name advpn
HQ-FW (advpn) # next
HQ-FW (phase2-interface) # end

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Hub HQ-FW Tunnel Interface Configuration
HQ-FW # config system interface
HQ-FW (interface) # edit advpn
HQ-FW (advpn) # set ip [Link]/32
HQ-FW (advpn) # set remote-ip [Link]/24
HQ-FW (advpn) # set allowaccess ping
HQ-FW (advpn) # set type tunnel
HQ-FW (advpn) # set interface port1
HQ-FW (advpn) # next
HQ-FW (interface) # end

Hub HQ-FW BGP Configuration


HQ-FW # config router bgp
HQ-FW (bgp) # set as 65000
HQ-FW (bgp) # set router-id [Link]
HQ-FW (bgp) # set ibgp-multipath enable
HQ-FW (bgp) # config neighbor-group
HQ-FW (neighbor-group) # edit advpn-peers
HQ-FW (advpn-peers) # set remote-as 65000
HQ-FW (advpn-peers) # set interface advpn
HQ-FW (advpn-peers) # set update-source advpn
HQ-FW (advpn-peers) # set route-reflector-client enable
HQ-FW (advpn-peers) # next
HQ-FW (neighbor-group) # end

HQ-FW (bgp) # config neighbor-range


HQ-FW (neighbor-range) # edit 1
HQ-FW (1) # set prefix [Link] [Link]
HQ-FW (1) # set neighbor-group advpn-peers
HQ-FW (1) # next
HQ-FW (neighbor-range) # end

HQ-FW (bgp) # config network


HQ-FW (network) # edit 1
HQ-FW (1) # set prefix [Link] [Link]
HQ-FW (1) # next
HQ-FW (network) # end
HQ-FW (bgp) # end

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Hub HQ-FW LAN to VPN Policy
HQ-FW # config firewall policy
HQ-FW (policy) # edit 1
HQ-FW (1) # set name LAN-to-VPN
HQ-FW (1) # set srcintf port3
HQ-FW (1) # set dstintf advpn
HQ-FW (1) # set action accept
HQ-FW (1) # set srcaddr all
HQ-FW (1) # set dstaddr all
HQ-FW (1) # set schedule always
HQ-FW (1) # set service ALL
HQ-FW (1) # set logtraffic all
HQ-FW (1) # set status enable
HQ-FW (1) # end

Hub HQ-FW VPN to LAN Policy


HQ-FW # config firewall policy
HQ-FW (policy) # edit 2
HQ-FW (2) # set name VPN-to-LAN
HQ-FW (2) # set srcintf advpn
HQ-FW (2) # set dstintf port3
HQ-FW (2) # set action accept
HQ-FW (2) # set srcaddr all
HQ-FW (2) # set dstaddr all
HQ-FW (2) # set schedule always
HQ-FW (2) # set service ALL
HQ-FW (2) # set logtraffic all
HQ-FW (2) # set status enable

Hub HQ-FW Spoke to Spoke Policy


HQ-FW # config firewall policy
HQ-FW (policy) # edit 4
HQ-FW (4) # set name VPN-to-VPN
HQ-FW (4) # set srcintf advpn
HQ-FW (4) # set dstintf advpn
HQ-FW (4) # set action accept
HQ-FW (4) # set srcaddr all
HQ-FW (4) # set dstaddr all
HQ-FW (4) # set schedule always
HQ-FW (4) # set service ALL
HQ-FW (4) # set logtraffic all
HQ-FW (4) # set status enable
HQ-FW (4) # end

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Spoke-1 DC-FW Default Route
DC-FW # config router static
DC-FW (static) # edit 1
DC-FW (1) # set gateway [Link]
DC-FW (1) #set device port1
DC-FW (1) # next

Spoke-1 DC-FW Phase 1 Configuration


DC-FW # config vpn ipsec phase1-interface
DC-FW (phase1-interface) # edit advpn
DC-FW (advpn) # set ike-version 2
DC-FW (advpn) # set proposal des-md5
DC-FW (advpn) # set dhgrp 5
DC-FW (advpn) # set authmethod psk
DC-FW (advpn) # set psksecret test123
DC-FW (advpn) # set nattraversal disable
DC-FW (advpn) # set keylife 86400
DC-FW (advpn) # set dpd on-idle
DC-FW (advpn) # set dpd-retrycount 3
DC-FW (advpn) # set dpd-retryinterval 20
DC-FW (advpn) # set interface port1
DC-FW (advpn) # set type static
DC-FW (advpn) # set peertype any
DC-FW (advpn) # set remote-gw [Link]
DC-FW (advpn) # set net-device enable
DC-FW (advpn) # set add-route disable
DC-FW (advpn) # set exchange-interface-ip disable
DC-FW (advpn) # set auto-discovery-receiver enable
DC-FW (advpn) # next
DC-FW (phase1-interface) # end

Spoke-1 DC-FW Phase 2 Configuration


DC-FW # config vpn ipsec phase2-interface
DC-FW (phase2-interface) # edit advpn
DC-FW (advpn) # set encapsulation tunnel-mode
DC-FW (advpn) # set proposal des-md5
DC-FW (advpn) # set pfs disable
DC-FW (advpn) # set keylife-type seconds
DC-FW (advpn) # set keylifeseconds 43200
DC-FW (advpn) # set phase1name advpn
DC-FW (advpn) # set auto-negotiate enable
DC-FW (advpn) # next
DC-FW (phase2-interface) # end

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Spoke-1 DC-FW Tunnel Interface Configuration
DC-FW # config system interface
DC-FW (interface) # edit advpn
DC-FW (advpn) # set ip [Link]/32
DC-FW (advpn) # set remote-ip [Link]/24
DC-FW (advpn) # set allowaccess ping
DC-FW (advpn) # set type tunnel
DC-FW (advpn) # set interface port1
DC-FW (advpn) # next
DC-FW (interface) # end

Spoke-1 DC-FW BGP Configuration


DC-FW # config router bgp
DC-FW (bgp) # set as 65000
DC-FW (bgp) # set router-id [Link]
DC-FW (bgp) # set ibgp-multipath enable
DC-FW (bgp) # config neighbor
DC-FW (neighbor) # edit [Link]
DC-FW ([Link]) # set remote-as 65000
DC-FW ([Link]) # set interface advpn
DC-FW ([Link]) # set update-source advpn
DC-FW ([Link]) # next
DC-FW (neighbor) # end
DC-FW (bgp) # config network
DC-FW (network) # edit 1
DC-FW (1) # set prefix [Link] [Link]
DC-FW (1) # next
DC-FW (network) # end

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Spoke-1 DC-FW LAN to VPN Policy
DC-FW # config firewall policy
DC-FW (policy) # edit 2
DC-FW (2) # set name LAN-to-VPN
DC-FW (2) # set srcintf port3
DC-FW (2) # set dstintf advpn
DC-FW (2) # set action accept
DC-FW (2) # set srcaddr all
DC-FW (2) # set dstaddr all
DC-FW (2) # set schedule always
DC-FW (2) # set service ALL
DC-FW (2) # set logtraffic all
DC-FW (2) # set status enable
DC-FW (2) # end

Spoke-1 DC-FW VPN to LAN Policy


DC-FW # config firewall policy
DC-FW (policy) # edit 3
DC-FW (3) # set name VPN-to-LAN
DC-FW (3) # set srcintf advpn
DC-FW (3) # set dstintf port3
DC-FW (3) # set action accept
DC-FW (3) # set srcaddr all
DC-FW (3) # set dstaddr all
DC-FW (3) # set schedule always
DC-FW (3) # set service ALL
DC-FW (3) # set logtraffic all
DC-FW (3) # set status enable
DC-FW (3) # end

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Spoke-2 BR-FW Default Route
BR-FW # config router static
BR-FW (static) # edit 1
BR-FW (1) # set gateway [Link]
BR-FW (1) #set device port1
BR-FW (1) # next
BR-FW (static) #end

Spoke-2 BR-FW Phase 1 Configuration


BR-FW # config vpn ipsec phase1-interface
BR-FW (phase1-interface) # edit advpn
BR-FW (advpn) # set ike-version 2
BR-FW (advpn) # set proposal des-md5
BR-FW (advpn) # set dhgrp 5
BR-FW (advpn) # set authmethod psk
BR-FW (advpn) # set psksecret test123
BR-FW (advpn) # set nattraversal disable
BR-FW (advpn) # set keylife 86400
BR-FW (advpn) # set dpd on-idle
BR-FW (advpn) # set dpd-retrycount 3
BR-FW (advpn) # set dpd-retryinterval 20
BR-FW (advpn) # set interface port1
BR-FW (advpn) # set type static
BR-FW (advpn) # set peertype any
BR-FW (advpn) # set remote-gw [Link]
BR-FW (advpn) # set net-device enable
BR-FW (advpn) # set exchange-interface-ip disable
BR-FW (advpn) # set auto-discovery-receiver enable
BR-FW (advpn) # next
BR-FW (phase1-interface) # end

Spoke-2 BR-FW Phase 2 Configuration


BR-FW # config vpn ipsec phase2-interface
BR-FW (phase2-interface) # edit advpn
BR-FW (advpn) # set encapsulation tunnel-mode
BR-FW (advpn) # set proposal des-md5
BR-FW (advpn) # set pfs disable
BR-FW (advpn) # set keylife-type seconds
BR-FW (advpn) # set keylifeseconds 43200
BR-FW (advpn) # set phase1name advpn
BR-FW (advpn) # set auto-negotiate enable
BR-FW (advpn) # next
BR-FW (phase2-interface) # end

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Spoke-2 BR-FW Tunnel Interface Configuration
BR-FW # config system interface
BR-FW (interface) # edit advpn
BR-FW (advpn) # set ip [Link]/32
BR-FW (advpn) # set remote-ip [Link]/24
BR-FW (advpn) # set allowaccess ping
BR-FW (advpn) # set type tunnel
BR-FW (advpn) # set interface port1
BR-FW (advpn) # next
BR-FW (interface) # end

Spoke-2 BR-FW BGP Configuration


BR-FW # config router bgp
BR-FW (bgp) # set as 65000
BR-FW (bgp) # set router-id [Link]
BR-FW (bgp) # set ibgp-multipath enable
BR-FW (bgp) # config neighbor
BR-FW (neighbor) # edit [Link]
BR-FW ([Link]) # set remote-as 65000
BR-FW ([Link]) # set interface advpn
BR-FW ([Link]) # set update-source advpn
BR-FW ([Link]) # next
BR-FW (neighbor) # end
BR-FW (bgp) # config network
BR-FW (network) # edit 1
BR-FW (1) # set prefix [Link] [Link]
BR-FW (1) # next
BR-FW (network) # end
BR-FW (bgp) # end

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Spoke-2 BR-FW LAN to VPN Policy
BR-FW # config firewall policy
BR-FW (policy) # edit 2
BR-FW (2) # set name LAN-to-VPN
BR-FW (2) # set srcintf port2
BR-FW (2) # set dstintf advpn
BR-FW (2) # set action accept
BR-FW (2) # set srcaddr all
BR-FW (2) # set dstaddr all
BR-FW (2) # set schedule always
BR-FW (2) # set service ALL
BR-FW (2) # set logtraffic all
BR-FW (2) # set status enable
BR-FW (2) # end

Spoke-2 BR-FW VPN to LAN Policy


BR-FW # config firewall policy
BR-FW (policy) # edit 3
BR-FW (3) # set name VPN-to-LAN
BR-FW (3) # set srcintf advpn
BR-FW (3) # set dstintf port2
BR-FW (3) # set action accept
BR-FW (3) # set srcaddr all
BR-FW (3) # set dstaddr all
BR-FW (3) # set schedule always
BR-FW (3) # set service ALL
BR-FW (3) # set logtraffic all
BR-FW (3) # set status enable
BR-FW (3) # end

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Test and Verification:
Let’s traceroute from Spoke-2 BR-PC1 to Spoke-1 DC-PC1 first time the packet going to through
HUB HQ-FW [Link] next time directly spoke to spoke communication.

11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717


Verification Commands
HQ-FW# diagnose vpn tunnel list
DC-FW# diagnose vpn tunnel list
BR-FW# diagnose vpn tunnel list
HQ-FW# get router info routing-table bgp
HQ-FW# diagnose ip address list | grep advpn
BR-FW# diagnose ip address list | grep advpn
DC-FW# diagnose ip address list |grep advpn
BR-FW# diagnose vpn ike gateway list
BR-FW# get router info bgp summary
BR-FW# get router info bgp network
DC-FW# get router info bgp network
HQ-FW# get router info bgp network
DC-FW # diagnose vpn tunnel flush advpn_0

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , WhatsApp: 00966564303717

You might also like