ADVPN is a (more) standards-compliant alternative to DMVPN. For casual conversation, the two terms are interchangeable.
If the 4g carrier allows inbound traffic (some restrict it) and you are able to directly IP your router (not behind NAT), there should be no issue running ADVPN and building shortcut tunnels to the 4G site. But if there’s NAT and/or a firewall in front, it can get complicated.
In either case there should be absolutely no issue running true hub-and-spoke, even with a dynamic IP, as you’d be using dialup tunnels and only the Hub’s IP needs to be known.
You can purchase a data plan with a static IP and just set up a normal site to site VPN
If you don’t have a static IP you can use a dial-up VPN configuration
If you get a private IP from your carrier and they do double-NAT or similar you can’t use IPsec but yo can still use dial-up SSLVPN (assuming fortios 7.0+)
you can pay for a fixed ip address on the mobile network, and configure the proper static APN.
We have used fortinet devices in our SDWAN for backup connectivity, and in an instance where a site was just built, and fiber was not placed, it was the primary connectivity for about 2 months for a site.
Doing what you’re talking about currently. The 4g LTE stuff here is terrible, and barely functions. I have static addresses on them from the provider (they do reservations on their end), and have made tunnels off them before but they go down so much due to poor quality LTE links that I wouldn’t honestly recommend it to anyone. Possible though.
You can set up a dynamic tunnel. It will only be able to be established from the remote site, but it works well. We are using it in a lot of vehicles with 4G routers that connect to a central fortigate.
Fixed public enables you to create a classic S2S IPsec tunnel.
Dynamic public is called road Warrior or dial up IPSEC
Both work great
When your provider just offers a private IP you will face issues with “double NAT”
There is one more point to consider.
In some areas LTE is not very stable, this can cause issues with frequent re-establishing tunnels.
Work around can be using dedicated antennas.
Or dedicated LTE Modems from different Vendors ie. Mikrotik LHGG LTE6 kit
I highly prefer using a carrier provided usb stick installed into the Fortigate usb slot. Way less hassle than the extender, which have given us many more problems than wwan usb. But yes either can do ipsec no problem.
As long as the spoke is on 4G and doing the dial-up then there isn’t any issue. It just cant be static. you can then run a routing protocol on top be it BGP or OSPF
Came here to say exactly this. We have a FortiGate in our DC that is the head-end for remote sites that run on 4G with FortiExtenders and have dial-up IPsec tunnels. Once you get the configs down it’s a nice and easy way to get a site up and running quickly while a more permanent solution can be put in place (or not if you don’t need it).
IKE v2 = Phase1 , not Phase2.
If possible go for IKEv2 , IKEv1 in main mode or if its really doesn’t work IKEv1 in aggressive mode.
Make sure NAT traversal is enabled on the unit used as client.
Fortigate-Fortigate works perfectly fine with 0.0.0.00.0.0.0 in phase 2.
It’s just a selector/filter, but you need to add the correct routing anyway to the tunnel.