Fortinet white logo
Fortinet white logo

Cookbook

Hub-spoke OCVPN with ADVPN shortcut

Hub-spoke OCVPN with ADVPN shortcut

This topic shows a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members' information. To form a hub-spoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.

License

  • Free license: Hub-spoke network topology not supported.
  • Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub.
  • Secondary hub.
  • Spoke (OCVPN default role).

Sample topology

Sample configuration

The steps below use the following overlays and subnets for the sample configuration:

  • Primary hub:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
  • Secondary hub:
    • Overlays are synced from primary hub.
  • Spoke1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Spoke2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To register FortiGates on FortiCare:
  1. Go to System > FortiGuard > License Information > FortiCare Support.
  2. To register, click Register or Launch Portal.
  3. Complete the options to register FortiGate on FortiCare.
To enable hub-spoke OCVPN using the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Configure the OCVPN primary hub by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Primary Hub.
    3. In the Overlays section, click Create New to create a network overlay.

    4. Specify the Name, Local subnets, and/or Local interfaces. Then click OK.
    5. Click Apply to commit the configuration.

  3. Configure the OCVPN secondary hub:

    Overlays are synced from the primary hub and cannot be defined in the secondary hub.

    1. In the Overlay Controller VPN pane, select Secondary Hub for the Role.
    2. Select Apply to commit the configuration.

  4. Configure the OCVPN spokes:
    1. In the Overlay Controller VPN pane, select Spoke for the Role.
    2. In the Overlays section, click Create New to create a network overlay.
    3. Specify the Name, Local subnets, and/or Local interfaces.
      The local subnet must be routable and interfaces must have IP addresses.
    4. Click OK and then click Apply to commit the configuration.

To enable hub-spoke OCVPN using the CLI:
  1. Configure the OCVPN primary hub:
    config vpn ocvpn
        set status enable
        set role primary-hub
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 172.16.101.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 172.16.102.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure the OCVPN secondary hub:
    config vpn ocvpn
        set status enable
        set role secondary-hub
    end
  3. Configure the OCVPN spoke1:
    config vpn ocvpn
        set status enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  4. Configure the OCVPN spoke2:
    config vpn ocvpn
        set status enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 192.168.4.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 192.168.5.0 255.255.255.0
                    next
                end
            next
        end
    end

Hub-spoke OCVPN with ADVPN shortcut

Hub-spoke OCVPN with ADVPN shortcut

This topic shows a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members' information. To form a hub-spoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.

License

  • Free license: Hub-spoke network topology not supported.
  • Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub.
  • Secondary hub.
  • Spoke (OCVPN default role).

Sample topology

Sample configuration

The steps below use the following overlays and subnets for the sample configuration:

  • Primary hub:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
  • Secondary hub:
    • Overlays are synced from primary hub.
  • Spoke1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Spoke2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To register FortiGates on FortiCare:
  1. Go to System > FortiGuard > License Information > FortiCare Support.
  2. To register, click Register or Launch Portal.
  3. Complete the options to register FortiGate on FortiCare.
To enable hub-spoke OCVPN using the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Configure the OCVPN primary hub by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Primary Hub.
    3. In the Overlays section, click Create New to create a network overlay.

    4. Specify the Name, Local subnets, and/or Local interfaces. Then click OK.
    5. Click Apply to commit the configuration.

  3. Configure the OCVPN secondary hub:

    Overlays are synced from the primary hub and cannot be defined in the secondary hub.

    1. In the Overlay Controller VPN pane, select Secondary Hub for the Role.
    2. Select Apply to commit the configuration.

  4. Configure the OCVPN spokes:
    1. In the Overlay Controller VPN pane, select Spoke for the Role.
    2. In the Overlays section, click Create New to create a network overlay.
    3. Specify the Name, Local subnets, and/or Local interfaces.
      The local subnet must be routable and interfaces must have IP addresses.
    4. Click OK and then click Apply to commit the configuration.

To enable hub-spoke OCVPN using the CLI:
  1. Configure the OCVPN primary hub:
    config vpn ocvpn
        set status enable
        set role primary-hub
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 172.16.101.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 172.16.102.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure the OCVPN secondary hub:
    config vpn ocvpn
        set status enable
        set role secondary-hub
    end
  3. Configure the OCVPN spoke1:
    config vpn ocvpn
        set status enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  4. Configure the OCVPN spoke2:
    config vpn ocvpn
        set status enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 192.168.4.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 192.168.5.0 255.255.255.0
                    next
                end
            next
        end
    end