This topic provides an example of how to use SD-WAN with ADVPN.
ADVPN (Auto Discovery VPN) is an IPsec technology that enables the spokes of a traditional hub-and-spoke VPN to establish dynamic, on-demand, and direct tunnels between each other to provide hub devices that pass through the topology. routing to avoid. Its main advantage is that it provides full meshing capabilities for standard hub-and-spoke topologies. This significantly reduces the configuration effort to achieve full spoke-to-spoke availability with low latency and resolves scalability issues associated with very large fully shielded VPN networks.
See Also
BGP EVPN VXLAN Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9500 Switches) - Configuration of VXLAN Aware Flexible Network Flow [Supported]Controlling Traffic Using BGP Route Maps and Service Rules | CookbookBGP EVPN VXLAN Configuration, Cisco IOS XE Dublin 17.11.x (Catalyst 9600 Switches) - Configuration for VXLAN-Aware Flexible Netflow [Supported]Guida alla configurazione del software per controller wireless Cisco Catalyst serie 9800, Cisco IOS XE Dublin 17.11.x - Scansione del traffico crittografato [controller wireless Cisco Catalyst serie 9800](Video) FortiGate ADVPN dynamic shortcut not forming - Lets troubleshoot together
If customers have two or more Internet connections in their headquarters and branch offices, they can build a dual-hub ADVPN network. Combined with SD-WAN technology, customers can distribute traffic to other offices through multiple dynamic tunnels, use specific connections to manage specific traffic, or dynamically select a connection with better performance.
 | SD-WAN load balancing mode rules (or services) do not support ADVPN members. Additional pattern rules, such as SLA and priority, are supported for ADVPN members. |
This topic is divided into three parts:
- Configure a dual-hub ADVPN with multiple spokes.
- Configure BGP to exchange routing information between the hub and spokes.
- Configure SD-WAN on the branch to perform load balancing and management traffic.
Configuration example
(Video) White Board Session - ADVPN Architecture Explanation
A typical ADVPN configuration with SD-WAN typically has two hubs, each spoke connects to two ISPs, and establishes VPN tunnels to both hubs.
This example shows a hub-and-spoke configuration with two hubs and one spoke:
- Both Hub1 and Hub2 use wan1 to connect to the ISP and port 10 to connect to the internal network.
- Spoke1 connects to ISP1 using wan1 and connects to ISP2 using wan2.
- wan1 sets up a VPN on hub1.
- wan2 sets up a VPN on hub2.
SD-WAN is configured on the branch. It uses two VPN interfaces as members and two rules to control traffic to HQ or other branches using the ADVPN VPN interface. You can create more rules if needed.
(Video) FortiGate SDWAN ADVPN Shortcut Demo
For this example:
- If Member 1 meets the SLA requirements, use SD-WAN Member 1 (via ISP1) and Finance Dynamic Traffic shortcut. If the SLA is not met, it will use SD-WAN member 2 (via ISP2).
- Dynamic shortcut using SD-WAN Member 2 (via ISP2) and its technical department traffic.
- Additional traffic to the hub and other spokes is load balanced between these two members.
- Configure all other traffic according to its original ISP connection. All other traffic does not pass through SD-WAN.
- Configure the basic network configuration so that all hubs and spokes can connect to their ISPs and the Internet.
| hub internal network | 172.16.101.0/24 |
| Spoke1 internal network | 10.1.100.0/24 |
| ADVPN 1 network | 10.10.100.0/24 |
| ADVPN 2 network | 10.10.200.0/24 |
| Hub1 wan1 IP | 11.1.1.11 |
| hub2 wan1 IP | 11.1.2.11 |
| Hub1 VPN-IP | 10.10.100.254 |
| Hub2 VPN-IP | 10.10.200.254 |
| Spoke1 to hub1 VPN IP | 10.10.100.2 |
| Spoke1 to hub2 VPN IP | 10.10.200.2 |
| Ping headquarters server | 11.11.11.11 |
| Intern subnet van spoke1 | 22.1.1.0/24 |
| Intern subnet van spoke2 | 33.1.1.0/24 |
| firewall address | Configure hub_subnets and spoke_subnets before using them in policies. These are adjustable. |
Some ADVPN related options like Autodiscover Sender, Autodiscover Receiver, Autodiscover Forwarder, and IBGP Neighbor Group settings are not supported by the GUI, so this example only includes CLI configuration commands.
Example configuration Hub1
To configure IPsec phase1 and phase2 interfaces:
configure vpn ipsec phase1-interface edit "hub-phase1" set type dynamisch set interface "wan1" set peer type any set network device uitschakelen set suggestie aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 set 3des-route uitschakelen set dpd on-idle set auto-discovery-sender enable set tunnel-search nexthop set psksecret sample set dpd-retryinterval 5 nextendconfig vpn ipsec phase2-interface bewerken "hub-phase2" set phase1name "hub-phase1" set suggestie aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 volgend einde
Configure the VPN interface and BGP:
edit system interface configuration "hub-phase1" set ip 10.10.100.254 255.255.255.255 set remote-ip 10.10.100.253 255.255.255.0 nextendconfig router bgp5 set sum 6555ghngh0ddown set sum resum 6555ghngh0ddown 5 set sum 65505 set sum ghgh0ddown set remote-ip -as 65505 set enable end route-configuror edit neighbor range 1 set prefix 10.10.100.0 255.255.255.0 set neighbor group "advpn" next end config edit network 1 set prefix 172.5206 next 172.515 last week 5.255.255.0 Next
Configure firewall policies:
configure firewall policy edit 1 set name "spoke2hub" set srcintf "hub-phase1" set dsintf "port10" set srcaddr "spoke_subnets" set dstaddr "hub_subnets" set action accept set schedule "always" set service "ALL" set comment "allow traffic from spoke to HQ" next edit 2 set name "spoke2spoke" set srcintf "hub-phase1" set dstintf "hub-phase1" set srcaddr "spoke_subnets" set dstaddr "spoke_subnets" set action accept set schedule "always" set service" ALL" comment set "allow spoke-to-spoke traffic" next action set 3 name "intern2spoke" set srcintf "port10" set dstintf "hub-phase1" set srcaddr "hub_subnets" set dstaddr "spoke_subnets" set accept action set schedule "always" set service "ALL" set comment "Allow moving from HQ to spoke" next end
Hub2 example configuration
The hub2 configuration is the same as hub1 except for the wan1 IP address, VPN interface IP address, and BGP neighbor prefix.
(Video) Fortinet Secure SDWAN - IPsec and ADVPN step-by-step configuration
To configure IPsec phase1 and phase2 interfaces:
configure vpn ipsec phase1-interface edit "hub-phase1" set type dynamisch set interface "wan1" set peer type any set network device uitschakelen set suggestie aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 set 3des-route uitschakelen set dpd on-idle set auto-discovery-sender enable set tunnel-search nexthop set psksecret sample set dpd-retryinterval 5 nextendconfig vpn ipsec phase2-interface bewerken "hub-phase2" set phase1name "hub-phase1" set suggestie aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 volgend einde
Configure the VPN interface and BGP:
Configure system interface edit "hub-phase1" set ip 10.10.200.254 255.255.255.255 set remote-ip 10.10.200.253 255.255.255.0 nextendconfig router bgp5 set als 655.ghp-neb -as 65505 set route-reflectorend-c neighbor range edit 1 set prefix 10.10.200.0 255.255.255.0 set neighbor group "advpn" next end configuration network edit 1 set prefix 172.5206 next 172.5206 .last week 11.11.11.0 255.2505.25 next
Configure firewall policies:
configure firewall policy edit 1 set name "spoke2hub" set srcintf "hub-phase1" set dsintf "port10" set srcaddr "spoke_subnets" set dstaddr "hub_subnets" set action accept set schedule "always" set service "ALL" set comment "allow traffic from spoke to HQ" next edit 2 set name "spoke2spoke" set srcintf "hub-phase1" set dstintf "hub-phase1" set srcaddr "spoke_subnets" set dstaddr "spoke_subnets" set action accept set schedule "always" set service" ALL" comment set "allow spoke-to-spoke traffic" next action set 3 name "intern2spoke" set srcintf "port10" set dstintf "hub-phase1" set srcaddr "hub_subnets" set dstaddr "spoke_subnets" set accept action set schedule "always" set service "ALL" set comment "Allow moving from HQ to spoke" next end
Spoke1 example configuration
To configure IPsec phase1 and phase2 interfaces:
配置 vpn ipsec phase1-interface 编辑“spoke1-phase1” set interface “wan1” set peer-type any set net-device enable set suggestie aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on- idle auto-discovery-receiver enable set remote-gw 11.1.1.11 set psksecret sample set dpd-retryinterval 5 next edit “spoke1-2-phase1” set interface “wan2” 设置 peertype any set net-device enable set suggestie aes128-sha256 aes256 sha256 aes128 -sha1 aes256-sha1 set add-route disable set dpd on-idle set auto-discovery-receiver enable set remote-gw 11.1.2.11 set psksecret try set dpd-retry interval 5 next endconfig vpn ipsec phase 2 interface phase2" set phase1name "spoke1-phase1" set voorstel aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate volgende bewerking inschakelen "spoke21-1 set-1 set phase-1 set" voorstel aes128-sha1 aes256-sha1 aes128- sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 设置自动协商下一个结束 inschakelen
Configure the VPN interface and BGP:
配置系统界面编辑“spoke1-phase1”set ip 10.10.100.2 255.255.255.255 set remote-ip 10.10.100.254 255.255.255.0 next edit“spoke1-2-phase10.0.1 set 2-phase10.0.0.5 set 20.20.5 ip . 200.254 255.255.255.0 next endconfig router bgp set as 65505 config neighbor edit "10.10.100.254" set advertise-interval 1 set link-down-failover enable set delete as 65505. set 125.-21.-down-failover enable set remote - as 65505 next end configuration network edit 1 set prefix 10.1.100.0 255.255.255.0 next end
Configure SD-WAN:
configure system virtual-wan-link set state enable configure member edit 1 set interface "spoke1-phase1" next edit 2 set interface "spoke1-2-phase1" next end configure health check edit "ping" set server "11.11. 11.11” set members 1 2 config sla edit 1 set latency-threshold 200 set jitter-threshold 50 set packetloss-threshold 5 next end end next end config service edit 1 set mode sla set dst “finacial-department” config sla edit “ping” set id 1 volgend einde stel priorit lid 1 in 2 volgende bewerken 2 stel lid in 2 stel dst "technische afdeling" volgend einde in
Configure firewall policies:
configure firewall policy edit 1 set name "outbound_advpn" set srcintf "internal" set dsintf "virtual-wan-link" set srcaddr "spoke_subnets" set dstaddr "spoke_subnets" "hub_subnets" set action accept set schedule "always" set service "ALL "In "Allow internal traffic outflow to HQ and other branches" set comment next edit 2 set name "inbound_advpn" set srcintf "virtual-wan-link" set dstintf "internal" set srcaddr "spoke_subnets" "hub_subnets" set dstaddr" spoke_subnets” " set accept action set schedule "always" set service "ALL" set comments "Allow HQ and other incoming spoke traffic" next end
Troubleshooting ADVPN and Shortcuts
Before setting up a voice-to-voice-shortcuts VPN
Use the following CLI command to check the status of the spoke before the spoke aker shortcut VPN is established.
# get router information bgp summaryBGP Router ID 2.2.2.2, Local AS Number 65505 BGP Table Version 133 BGP AS-PATH Entries0 BGP Community Entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd10.10.5 40.0 1 322 5 40.10. :15 510.10.200.254 4 65505 3365 3319 12 0 0 00:02:14 5 total neighbors 2
# Get router information routing table bgpRoutingstabel voor VRF=0B* 0.0.0.0/0 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:00:58 [200/0] via 10.10.100.254, spoke1-phase1, 00:00: 58B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:01:29 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:01:29B 11.11.11.0/24 [200/0] via 10.10.200.254, spaak1-2-fase1, 00:01:29 [200/0] via 10.10.100.254, spaak1-fase1, 00:01:29.B 10:01 :19. 24 [200/0] via 10.10.200.3, spaak1-2-fase1, 00:00:58 [200/0] via 10.10.100.3, spaak1-fase1, 00:00:58 [200/0] via 10.10.200 , spaak1-2-fase1, 00:00:58 [200/0] via 10.10.100.3, spaak1-fase1, 00:00:58
# diagnostic vpn tunnel listlijst alle ipsec-tunneler i vd 3---------------------------------------- -------------- ----------name=spoke1-phase1 ver=1 serial=5 12.1.1.2:0->11.1.1.11: 0 dst_mtu=15324bound_if=48 lgwy=static/1 tun=intf/ 0 模式=auto/1 encap=none/536 optioner[0218]=npu create_dev frag-rfc accept_traffic=1proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=r/2stat: rxp=1 txp=185 rxb= 16428 txb=11111dpd: mode=on-demand on=1 inaktiv=20000ms genforsøg=3 count=0 seqno=4natt: mode=none draft=0 interval =0 remote_port=0proxyid=spoke1 proto=0 sa=1 ref= 4 series =1 auto-forhandle adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA : ref=6 optioner=1a227 type=00 soft=0 mtu= 15262 udløber =42820/0B replaywin=2048 seqno=ba esn=0 replaywin_lastseq=00000002 itn=0 qat=0 liv: type=01 bytes=0/0 timeout =42903/43200 dec: spi=03e01a26a esp 616a 5f 5a 5f 5f 5f 5f 3f 5f 5f 5f 3f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5fd =bed7 sleutel5 42469461b03da8041f87e88 enc: spi=2ead61b sleutel =feecc1ead61b 19fe6d520c437eb6bsha8897 sleutel6b6b8897 6fac: 6fac: 6fac: 6fac 269 69a 69 34 6 e 6 e 6 e 6 e 6 e 6 e 6 e 6 e 6 e 6 e 6 e 4 e 6 e 4 e 6 6 5 e 6 e pkts/bytes=1/16368, enc:pkts/bytes=185/22360 npu_flag=03 npu_rgwy=11.1 .1.11 npu_lgwy=12.1.1.2 npu_selid=0 dec_npuid=1 enc_npuid=1---------- ---------- ------------------ ------------------ navn=talte1-2-fase1 ver=1 seriel=6 112.1.1.2:0->11.1.2.11:0 dst_mtu=15324bound_if=90 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 opties[0218]=npu create_dev frag-rfc accept_traffic=1proxyid_num=1 child_num=0 refcnt=21 ilast=0 olast=0 ad=r /2stat:rxp=1 txp=186 rxb=16498 txb=11163dpd:mode=on- demand on=1 inaktiv=20000ms genforsøg=3 count= 0 seqno=74natt: mode=ingen udkast=0 interval=0 remote_port=0proxyid spoke1-2 proto=0 sa=1 ref=4 seriel=1 auto-forhandle adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 opties=1a227 type=00 soft=0 mtu=15262 verlopen=42818/0B replaywin=2048 seqno =bb esn=0 replaywin_lastseq=00000002 itn=0 qat =0 levetid: type=01 bytes=0/0 time-out=432001 dec: spi=03e01a2b esp=aes key=16 fe49f5042a5ad236250bf53312db1346 ah=sha1 key=20 5cb4c645bb1 dac2b85e2c25be dac2ebeb36be dac2ebeb36b dac2b3e2c6be dac2b3e2c6be dac2b3e2c6be dac2b3e2c6be dac2b3e2c6be 8b3e2c6be d8b3e2c6be 8b3e2c6e 8b1e2c6e 8b 9db64ac46 ah=sha1 key=20 e20916ae6ea2295b2cd8bd815c dec:pkts/bytes=1/16438, enc: pkts/bytes=186/22480 npu_flag=03 npu_rgwy=11.1.2.11 npu_lgwy=112.1.1.2 npu_nid=1 dec_nid=1 dec_nid=1 dec_lgwy=112.1.1.2
# diagnostic sys vwan link serviceService(1): Address Mode(IPV4) flag=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla) Member Subinterface: Members: 1: Seq_num(1), live, save ( 0x1), cfg_order(0), cost(0), selected 2: Seq_num(2), live, sla(0x1), cfg_order(1), cost(0), selected Dst 地址:33.1.1.1-33.1.1.100 服务(2): Address Mode(IPV4) Flag=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(Manual) Member SubInterface: Members: 1: Seq_num(2), Live, Selected Dst 地址: 33.1.1.101-33.1.1.200
# Diagnostic firewall routelijstlijst routebeleid 信息(vf=vd2):id=2132869121 vwl_service=1 vwl_mbr_seq=1 dscp_tag=0xff 0xff flag=0x0 tos=0x00 tos_mask=0x00 protokol=0 sport=0:65535=51-65 dport 71.stoif=71 de stoif=71 de ): 33.1.1.1-33.1.1.100source jokertegn(1): 0.0.0.0/0.0.0.0id=2132869122 vwl_service=2 vwl_mbr_seq=2 dscp_tag=0x0ff_flags0 mask=0x0ff_mask0x0 protokol=0 sport=0:65535 iif=0 dport= 1-65535 oif=71bestemming(1): 33.1.1.101-33.1.1.200kilde jokerteegn(1): 0.0.0.0/0.0.0.0
After creating a voice-to-voice shortcut VPN
Use the following CLI commands to check the status by branch and branch aker shortcut VPN is established.
# Get router information routing table bgpRoutingstabel voor VRF=0B* 0.0.0.0/0 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:01:33 [200/0] via 10.10.100.254, spoke1-phase1, 00:01: 33B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:02:04 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:02:04B 11.11.11.0/24 [200/0] via 10.10.200.254, spaak1-2-fase1, 00:02:04 [200/0] via 10.10.100.254, spaak1-fase1, 00:02:02.B 10:02 :04. 24 [200/0] via 10.10.200.3, spaak1-2-fase1_0, 00:01:33 [200/0] via 10.10.100.3, spaak1-fase1_0, 00:01:33 [200/0] via 10.10. , spaak1-2-fase1_0, 00:01:33 [200/0] via 10.10.100.3, spaak1-fase1_0, 00:01:33
# diagnostic sys vwan link serviceservice(1):address mode(IPV4) flags=0x0 TOS(0x0/0x0),protocol(0:1->65535),mode(sla) member subinterface:1:seq_num(1),interface(spoke1-phase1 ) ): 1: spoke1-phase1_0(111) 2: seq_num(2), interface(spoke1-2-phase1): 1: spoke1-2-phase1_0(113) Members: 1: Seq_num(1), live, beat ( 0x1 ), cfg_order(0), cost(0), selected 2: Seq_num(2), live, sla(0x1), cfg_order(1), cost(0), selected Dst Address: 33.1.1.1-33.1.1.100 Service ( 2): Address mode (IPV4) flag=0x0 TOS(0x0/0x0), protocol(0: 1->65535), mode(manual) Subinterface member: 1: seq_num(2), interface(spoke1-2-phase1 ) : 1: talte1-2-phase1_0(113) Member: 1: Seq_num(2), live, selected Dst address: 33.1.1.101-33.1.1.200
# diagnostic vpn tunnel listlijst alle ipsec-tunneler i vd 3---------------------------------------- -------------- ----------name=spoke1-phase1 ver=1 serial=5 12.1.1.2:0->11.1.1.11: 0 dst_mtu=15324bound_if=48 lgwy=static/1 tun=intf/ 0 模式=auto/1 encap=none/536 optioner[0218]=npu create_dev frag-rfc accept_traffic=1proxyid_num=1 child_num=1 refcnt=20 ilast=0 olast=0 ad=r/2stat: rxp=1 txp=759 rxb= 16428 txb=48627dpd: mode=on-demand on=1 inaktiv=20000ms genforsøg=3 count=0 seqno=4natt: mode=none draft=0 interval =0 remote_port=0proxyid=vd2-1 proto=0 sa=1 ref= 5 serieel=1 automatisch onderhandelen adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 optieer=1a227 type=00 soft=0 mtu=15262 verlopen=42536/0B replaywin=2048 seqno=2f8 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 liv: type=01 bytes=0/0超时=42898/43200 dec:spi=42 tast=1espi=42es 1f131bda108d33909d49fc2778bd08bb ah=sha1 nøgle=20 14131d3f0da9b741a2fd13d530b0553aa1f58983 enc:utel6spid=82e 1d3f0da9b741a3fd13d5959a5959b59 c: spi=2ead61d8 sleutel=2ead61d8 sleutel5f1cd=5f1cd 5f1cd 5f15d8 5f15d 5f 5d 5d 5f 5d 5d 5f 5d 5f 5b ccc2f3223ce16514e75f672cd88c4b4f48b681 dec:1kts/字节/16360, enc:pkts/字节=759/94434 npu_flag=03 npu_rgwy =11.1.1.11 npulidwyg1.npu12l 0 dec_npuid=1 enc_npuid=1-- -------------- -------------- ------------------ --navn=talte1-2-fase1 ver=1 系列= 6 112.1.1.2:0->11.1.2.11:0 dst_mtu=15324bound_if =90 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none /536 opties[0218]=npu create_dev frag-rfc accept_traffic=1proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 annonce=r/2stat:rxp=1 txp=756 rxb=16450 txb=48460dpd:mode=按需 on=1 inaktiv=20000ms genforsøg=3 count= 0 seqno=74natt: mode=ingen udkast=0 interval=0 remote_port= 0proxyid=vd2-2 proto=0 sa=1 ref=5 seriel=1 autoforhandle adr src : 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref =6 optioner=1a227 type=00 soft=0 mtu=15262 verlopen=42538/0B replaywin=2048 seqno=2f5 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 liv: type=01 bytes=0/9000 time-out /43200 dec: spi=03e01a43 esp=aes sleutel=16 7fc87561369f88b56d08bfda769eb45beleutele=sha1=sha1 1c5ac16dc2e77561369f00b56d08bf 0ed554ef231c5ac16dc2e77561369f88b56d08bfda769eb45b ah=sha1 sleutel=20 0ed554ef231c5ac16dc2e77561369f88b56d08bfda769eb45d 2e7d8216881d6720ef3 ah=sha1 key=20 59d5eec6299ebcf038c190860774e2833074:d6s3t1s/6s3byte/6sbytekt1 2、enc:pkts/bytes=756/94058 npu_flag=03 npu_rgwy=11.1.2.11 npu_lgwy=112.1.1.2 npu_selid=112.1 .1.2 dec_selid=112.1.1.2 dec_selid=112.1.1.2 --- ---------------------------------- - -------------------------- -----navn=eger1-fase1_0 ver=1 系列=55 12.1.1.2: 0- >13.1.1.3:0 dst_mtu=15324bound_if=48 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=geen/728 opties[02d8]=npu create_dev no-sysctl rgwy-chg accept_trafficrf =1parent=vd2- 1 index=0proxyid_num=1 child_num=0 refcnt=18 ilast=8 olast=8 ad=r/2stat: rxp=0 txp =0 rxb=0 txb=0dpd: mode=on-demand on=1 tomgang=20000ms prøvigen =3 antal=0 seqnr=0natt: tilstand=ingen udkast=0 interval=0 remote_port=0proxyid=vd2-1 proto=0 sa=1 ref=2 seriel=1 autoforhandle adr src: 0:0.0 .0.0/0.0.0.0 :0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 optieer=1a227 type=00 soft= 0 mtu=15262 verlopen=42893/0B replaywin=2048 seqno=1 esn = 0 replaywin_lastseq = 00000000 itn = 0 qat = 0 Liv:类型 = 01 字节 = 0/0 超时 = 42901/43200 dec:SPI = 03e01a44 ESP = aes nøgle = 16 c3b77a98e30022222373b73af14df6e ah = 16 c3b77a98e300242424424244224 242424 48 ENC:SPI = 864F6DBA esp=aes sleutel=16 eb6181806ccadb5 eb ah=sha1 sleutel=20 ab788f7a372877a5603c4ede1be89a592fc21873 dec:pkts/bytes:1/0lgwyg=1f_0lg/bytes:1_pkts/bytes:1/0lg/ bytes:1/0lg/bytepulid1.pulselid:12.1/0 1 dec_npuid = 0 enc_npuid=0-------------------------------------------- -------------- ----------------------name=spoke1-2-phase1_0 ver=1 seriel= 57 112.1.1.2:0->113.1。 1.3:0 dst_mtu=15324bound_if=90 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 optioner[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1parent=vd2- 2 index=0proxyid_num=1 child_num=0 refcnt=17 ilast=5 olast=5 annonce =r/2stat: rxp=0 txp=0 rxb=0 txb=0dpd: mode=on-demand on=1 inaktiv=20000ms genforsøg= 3 count=0 seqno=0natt: mode=ingen udkast=0 interval=0 remote_port= 0proxyid=vd2-2 proto=0 sa=1 ref=3 seriel=1 autoforhandle adr src: 0:0.0.0.0/0.0.0.0: 0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref =3 optieer=1a227 type=00 soft=0 mtu=15262 verlopen=42900/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn= 0 qat=0 levetid: type=01 bytes=0/01 timeout=429 /43200 dec: spi=03e01a45 esp=aes nøgle=16 0beb519ed9f800e8b4c0aa4e1df7da35 ah=sha1 nøgle=20 bc9f38db5296cce4208a60f71cc85 4228 ah=sha1 sleutel=20 564d05ef6f7437e1fd0a88d5fee7b6567f9d387e dec:pkts / bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=113.1.1.3 npu_lgwy=112.1.1.2 npu_selid=53 dec_npuid=0 enc_npuid=0
# Diagnostic firewall routelijstlijst routebeleid 信息(vf=vd2):id=2132869121 vwl_service=1 vwl_mbr_seq=1 dscp_tag=0xff 0xff flag=0x0 tos=0x00 tos_mask=0x00 protokol=0 sport=0:65535=51-65 dport 111 oif ==.7 113 oif=71bestemming(1): 33.1.1.1-33.1.1.100kilde jokerteegn(1): 0.0.0.0/0.0.0.0id=2132869122 vwl_service=2 vwl_mff_seq_tag=0 dscffs0_tag=0 dscffs0 tos=0x00 tos0 sportif=35:6 0 dport=1-65535 oif=113 oif=71bestemming(1): 33.1.1.101-33.1.1.200kilde jokertegn(1): 0.0.0.0/0.0.0.0 .0,0