HUB and SPOKE ADVPN Configuration
=============================================================================================
=============================================================================================
config vpn ipsec phase1-interface
edit advpn
set ike-version 2
set proposal des-md5
set dhgrp 5
set authmethod psk
set psksecret test123
set nattraversal disable
set keylife 86400
set dpd on-demand
set dpd-retrycount 3
set dpd-retryinterval 20
set interface port1
set type dynamic
set peertype any
set net-device disable
set add-route disable
set exchange-interface-ip disable 
set auto-discovery-sender enable                        
next
end

config vpn ipsec phase2-interface
edit advpn
set encapsulation tunnel-mode
set proposal des-md5
set pfs disable
set keylife-type seconds
set keylifeseconds 43200
set keepalive disable
set phase1name advpn
next
end

config system interface
edit advpn
set ip 172.16.1.1/32
set remote-ip 172.16.1.254/24
set allowaccess ping
set type tunnel
set interface port1
next
end

config router bgp
set as 65000
set router-id 10.0.1.254
set ibgp-multipath enable

config neighbor-group
edit advpn-peers
set remote-as 65000
set interface advpn
set update-source advpn
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.16.1.0 255.255.255.0
set neighbor-group advpn-peers
next
end
config network
edit 1
set prefix 10.0.1.0 255.255.255.0
next 
end
end

config firewall policy
edit 1
set name LAN-to-VPN
set srcintf port3
set dstintf advpn
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end

config firewall policy
edit 2
set name VPN-to-LAN
set srcintf advpn
set dstintf port3
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end

config firewall policy
edit 4
set name VPN-to-VPN
set srcintf advpn
set dstintf advpn
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end
----------------------------------------------------------------------
DC-Spoke Configuration:

config vpn ipsec phase1-interface
edit advpn
set ike-version 2
set proposal des-md5
set dhgrp 5
set authmethod psk
set psksecret test123
set nattraversal disable
set keylife 86400
set dpd on-idle
set dpd-retrycount 3
set dpd-retryinterval 20
set interface port1
set type static
set peertype any
set remote-gw 192.168.1.1
set net-device enable
set exchange-interface-ip disable
set auto-discovery-receiver enable                        
next
end

config vpn ipsec phase2-interface
edit advpn
set encapsulation tunnel-mode
set proposal des-md5
set pfs disable
set keylife-type seconds
set keylifeseconds 43200
set phase1name advpn
set auto-negotiate enable
next
end

config system interface
edit advpn
set ip 172.16.1.2/32
set remote-ip 172.16.1.1/24
set allowaccess ping
set type tunnel
set interface port1
next
end

config router bgp
set as 65000
set router-id 10.0.2.254
set ibgp-multipath enable
config neighbor
edit 172.16.1.1
set remote-as 65000
set interface advpn
set update-source advpn
next
end
config network
edit 1
set prefix 10.0.2.0 255.255.255.0
next 
end
end

config firewall policy
edit 2
set name LAN-to-VPN
set srcintf port3
set dstintf advpn
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end

config firewall policy
edit 3
set name VPN-to-LAN
set srcintf advpn
set dstintf port3
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end
================================================================
BR-Spoke Configuration:

config vpn ipsec phase1-interface
edit advpn
set ike-version 2
set proposal des-md5
set dhgrp 5
set authmethod psk
set psksecret test123
set nattraversal disable
set keylife 86400
set dpd on-idle
set dpd-retrycount 3
set dpd-retryinterval 20
set interface port1
set type static
set peertype any
set remote-gw 192.168.1.1
set net-device enable
set exchange-interface-ip disable
set auto-discovery-receiver enable  
next
end

config vpn ipsec phase2-interface
edit advpn
set encapsulation tunnel-mode
set proposal des-md5
set pfs disable
set keylife-type seconds
set keylifeseconds 43200
set phase1name advpn
set auto-negotiate enable
next
end

config system interface
edit advpn
set ip 172.16.1.3/32
set remote-ip 172.16.1.1/24
set allowaccess ping
set type tunnel
set interface port1
next
end

config router bgp
set as 65000
set router-id 10.0.3.254
set ibgp-multipath enable
config neighbor
edit 172.16.1.1
set remote-as 65000
set interface advpn
set update-source advpn
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next 
end
end

config firewall policy
edit 2
set name LAN-to-VPN
set srcintf port2
set dstintf advpn
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end

config firewall policy
edit 3
set name VPN-to-LAN
set srcintf advpn
set dstintf port2
set action accept
set srcaddr all
set dstaddr all
set schedule always
set service ALL
set logtraffic all
set status enable
end
=================================================================
DC-FW # diagnose vpn tunnel flush advpn_0
DC-FW # get router info routing-table bgp
BR-FW # get router info routing-table bgp