Fortinet black logo

Cookbook

Full mesh OCVPN

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:850443
Download PDF

Full mesh OCVPN

This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
  • Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval

How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.

Role

The device OCVPN role of spoke, primary-hub, or secondary-hub.

Overlay

Defines network overlays and bind to subnets.

Subnet

Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA.

Sample topology

The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.

Sample configuration

The following overlays and subnets are used:

  • Branch1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
  • Branch3:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To register FortiGates on FortiCare:
  1. Go to System > FortiGuard > License Information > FortiCare Support.
  2. To register, click Register or Launch Portal.
  3. Complete the options to register FortiGate on FortiCare.
To enable OCVPN using the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Create the first overlay by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.

  3. Specify the Name, Local subnets, and/or Local interfaces.

    The local subnet must be routable and interfaces must have IP addresses.

  4. Click OK.

  5. Click Apply to commit the configuration.
  6. Repeat this procedure to create all the overlays.
To enable OCVPN using the CLI:
  1. Configure Branch1:
    config vpn ocvpn
       set status enable
       config overlays
          edit 1
              set name "QA"
              config subnets
                 edit 1
                    set subnet 10.1.100.0 255.255.255.0
                 next
              end
          next
          edit 2
              set name "PM"
              config subnets
                 edit 1
                    set subnet 10.2.100.0 255.255.255.0
                 next
              end
          next
       end
    end
  2. Configure Branch2:
    config vpn ocvpn
       set status enable
       config overlays
           edit 1
              set name "QA"
              config subnets
                  edit 1
                      set type interface
                      set interface "lan1"
                  next
              end
           next
           edit 2
              set name "PM"
              config subnets
                  edit 1
                      set type interface
                      set interface "lan2"
                  next
              end
           next
       end
    end
  3. Configure Branch3:
    config vpn ocvpn
       set status enable
       config overlays
           edit 1
              set name "QA"
              config subnets
                 edit 1
                    set subnet 172.16.101.0 255.255.255.0
                 next
              end
           next
           edit 1
              set name "PM"
              config subnets
                 edit 1
                    set subnet 172.16.102.0 255.255.255.0
                 next
              end
           next
       end
    end

Full mesh OCVPN

This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
  • Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval

How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.

Role

The device OCVPN role of spoke, primary-hub, or secondary-hub.

Overlay

Defines network overlays and bind to subnets.

Subnet

Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA.

Sample topology

The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.

Sample configuration

The following overlays and subnets are used:

  • Branch1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
  • Branch3:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To register FortiGates on FortiCare:
  1. Go to System > FortiGuard > License Information > FortiCare Support.
  2. To register, click Register or Launch Portal.
  3. Complete the options to register FortiGate on FortiCare.
To enable OCVPN using the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Create the first overlay by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.

  3. Specify the Name, Local subnets, and/or Local interfaces.

    The local subnet must be routable and interfaces must have IP addresses.

  4. Click OK.

  5. Click Apply to commit the configuration.
  6. Repeat this procedure to create all the overlays.
To enable OCVPN using the CLI:
  1. Configure Branch1:
    config vpn ocvpn
       set status enable
       config overlays
          edit 1
              set name "QA"
              config subnets
                 edit 1
                    set subnet 10.1.100.0 255.255.255.0
                 next
              end
          next
          edit 2
              set name "PM"
              config subnets
                 edit 1
                    set subnet 10.2.100.0 255.255.255.0
                 next
              end
          next
       end
    end
  2. Configure Branch2:
    config vpn ocvpn
       set status enable
       config overlays
           edit 1
              set name "QA"
              config subnets
                  edit 1
                      set type interface
                      set interface "lan1"
                  next
              end
           next
           edit 2
              set name "PM"
              config subnets
                  edit 1
                      set type interface
                      set interface "lan2"
                  next
              end
           next
       end
    end
  3. Configure Branch3:
    config vpn ocvpn
       set status enable
       config overlays
           edit 1
              set name "QA"
              config subnets
                 edit 1
                    set subnet 172.16.101.0 255.255.255.0
                 next
              end
           next
           edit 1
              set name "PM"
              config subnets
                 edit 1
                    set subnet 172.16.102.0 255.255.255.0
                 next
              end
           next
       end
    end