Scribd
Upload
11 views1 page

46 Advpn Theory

ADVPN (Auto Discovery VPN) is a Fortinet proprietary IPsec technology that enables dynamic, on-demand direct tunnels between spokes in a hub-and-spoke VPN topology, enhancing scalability and reducing provisioning efforts. It allows for full meshing capabilities while maintaining a point-to-multipoint view for the hub and point-to-point view for each spoke. ADVPN is incompatible with Cisco DMVPN and supports both IPv4 and IPv6 IPsec, along with various dynamic routing protocols.

Uploaded by

Williams
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views1 page

46 Advpn Theory

ADVPN (Auto Discovery VPN) is a Fortinet proprietary IPsec technology that enables dynamic, on-demand direct tunnels between spokes in a hub-and-spoke VPN topology, enhancing scalability and reducing provisioning efforts. It allows for full meshing capabilities while maintaining a point-to-multipoint view for the hub and point-to-point view for each spoke. ADVPN is incompatible with Cisco DMVPN and supports both IPv4 and IPv6 IPsec, along with various dynamic routing protocols.

Uploaded by

Williams
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

ADVPN:

ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke
VPN’s spokes to establish dynamic, on-demand, direct tunnels between each other to avoid
routing through the topology's hub device. The primary advantage is that it provides full
meshing capabilities to a standard hub-and-spoke topology. This greatly reduces the
provisioning effort for full Spoke-to-Spoke low delay reachability, and addresses the scalability
issues associated with very large fully meshed VPN networks.

ADVPN is a Fortinet proprietary solution based on IKE and IPsec that addresses the need for
direct spoke-to-spoke communication in Hub-and-Spoke topologies by enabling the spokes to
automatically negotiate on-demand IPsec tunnels—called shortcuts—between them without
you having to make topology changes or make many configuration changes. After a shortcut is
established and routing has converged, Spoke-to-Spoke traffic no longer needs to flow through
the hub. It is incompatible with Cisco DMVPN which relies on mGRE-over-IPsec and NHRP. Both
IPv4 IPsec & IPv6 IPsec are supported. BGP OSPF, and RIPv2/RIPng are supported.

The most important thing here to understand is that the Hub sees the network as point-to-
multipoint (Hub has one IPsec tunnel to each Spoke) and each Spoke sees the network as point-
to-point (Spoke has IPSec tunnel only to the Hub). To run Dynamic Routing Protocols over those
IPSec tunnels, both Hub and Spoke must find a way to tell each other what are their respective
tunnel IP addresses. FortiGate overcomes this limitation by using proprietary address
exchanging mechanism during IPSec phase-1 negotiation (set exchange-interface-ip enable).

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

You might also like