Fortinet black logo

Cookbook

Hub-spoke OCVPN with inter-overlay source NAT

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:470075
Download PDF

Hub-spoke OCVPN with inter-overlay source NAT

This topic shows a sample configuration of hub-spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on spokes and assign-ip enabled on hub, you can have inter-overlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays' subnets when the overlay option assign-ip is enabled.

You must first disable auto-discovery before you can enable NAT.

License

  • Free license: Hub-spoke network topology not supported.
  • Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub.
  • Secondary hub.
  • Spoke (OCVPN default role).

Sample topology

Sample configuration

You can only configure this feature using the CLI.

Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To enable inter-overlay source NAT using the CLI:
  1. Configure the primary hub, enable overlay QA, and configure assign-ip and IP range:
    config vpn ocvpn
        set status enable
        set role primary-hub
        config overlays
            edit 1
                set name "QA"
                set assign-ip enable
                set ipv4-start-ip 172.16.101.100
                set ipv4-end-ip 172.16.101.200
                config subnets
                    edit 1
                        set subnet 172.16.101.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                set assign-ip enable
                config subnets
                    edit 1
                        set subnet 172.16.102.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure the secondary hub:
    config vpn ocvpn
        set status enable
        set role secondary-hub
    end
  3. Configure spoke1 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  4. Configure spoke2 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 192.168.4.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 192.168.5.0 255.255.255.0
                    next
                end
            next
        end
    end
    

    A firewall policy with NAT is generated on the spoke:

    edit 9
       set name "_OCVPN2-1.1_nat"
       set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
       set srcintf "any"
       set dstintf "_OCVPN2-1.1"
       set srcaddr "all"
       set dstaddr "_OCVPN2-1.1_remote_networks"
       set action accept
       set schedule "always"
       set service "ALL"
       set comments "Generated by OCVPN Cloud Service."
       set nat enable
    next

Hub-spoke OCVPN with inter-overlay source NAT

This topic shows a sample configuration of hub-spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on spokes and assign-ip enabled on hub, you can have inter-overlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays' subnets when the overlay option assign-ip is enabled.

You must first disable auto-discovery before you can enable NAT.

License

  • Free license: Hub-spoke network topology not supported.
  • Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub.
  • Secondary hub.
  • Spoke (OCVPN default role).

Sample topology

Sample configuration

You can only configure this feature using the CLI.

Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To enable inter-overlay source NAT using the CLI:
  1. Configure the primary hub, enable overlay QA, and configure assign-ip and IP range:
    config vpn ocvpn
        set status enable
        set role primary-hub
        config overlays
            edit 1
                set name "QA"
                set assign-ip enable
                set ipv4-start-ip 172.16.101.100
                set ipv4-end-ip 172.16.101.200
                config subnets
                    edit 1
                        set subnet 172.16.101.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                set assign-ip enable
                config subnets
                    edit 1
                        set subnet 172.16.102.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure the secondary hub:
    config vpn ocvpn
        set status enable
        set role secondary-hub
    end
  3. Configure spoke1 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  4. Configure spoke2 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 192.168.4.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 192.168.5.0 255.255.255.0
                    next
                end
            next
        end
    end
    

    A firewall policy with NAT is generated on the spoke:

    edit 9
       set name "_OCVPN2-1.1_nat"
       set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
       set srcintf "any"
       set dstintf "_OCVPN2-1.1"
       set srcaddr "all"
       set dstaddr "_OCVPN2-1.1_remote_networks"
       set action accept
       set schedule "always"
       set service "ALL"
       set comments "Generated by OCVPN Cloud Service."
       set nat enable
    next