Fortinet black logo

Administration Guide

Full mesh OCVPN

Full mesh OCVPN

This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
  • Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval

How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.

Role

The device OCVPN role of spoke, primary-hub, or secondary-hub.

Overlay

Defines network overlays and bind to subnets.

Subnet

Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA.

Sample topology

The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.

Sample configuration

The following overlays and subnets are used:

  • Branch1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
  • Branch3:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To register FortiGates on FortiCare:
  1. Go to System > FortiGuard > License Information > FortiCare Support.
  2. To register, click Register or Launch Portal.
  3. Complete the options to register FortiGate on FortiCare.
To enable OCVPN in the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Create the first overlay by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.

  3. Specify the Name, Local subnets, and/or Local interfaces.

    The local subnet must be routable and interfaces must have IP addresses.

  4. Click OK.

  5. Click Apply to commit the configuration.
  6. Repeat this procedure to create all the overlays.
To enable OCVPN in the CLI:
  1. Configure Branch1:
    config vpn ocvpn
        set status enable
        set multipath disable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure Branch2:
    config vpn ocvpn
        set status enable
        set multipath disable
        config overlays
             edit 1
                 set name "QA"
                 config subnets
                      edit 1
                            set type interface
                            set interface "lan1"
                      next
                 end
             next
             edit 2
                 set name "PM"
                 config subnets
                      edit 1
                            set type interface
                            set interface "lan2"
                      next
                 end
             next
        end
    end
  3. Configure Branch3:
    config vpn ocvpn
        set status enable
        set multipath disable
        config overlays
             edit 1
                 set name "QA"
                 config subnets
                     edit 1
                         set subnet 172.16.101.0 255.255.255.0
                     next
                 end
             next
             edit 1
                 set name "PM"
                 config subnets
                     edit 1
                         set subnet 172.16.102.0 255.255.255.0
                     next
                 end
             next
        end
    end

Full mesh OCVPN

This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
  • Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval

How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.

Role

The device OCVPN role of spoke, primary-hub, or secondary-hub.

Overlay

Defines network overlays and bind to subnets.

Subnet

Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA.

Sample topology

The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.

Sample configuration

The following overlays and subnets are used:

  • Branch1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
  • Branch3:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.

To register FortiGates on FortiCare:
  1. Go to System > FortiGuard > License Information > FortiCare Support.
  2. To register, click Register or Launch Portal.
  3. Complete the options to register FortiGate on FortiCare.
To enable OCVPN in the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Create the first overlay by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.

  3. Specify the Name, Local subnets, and/or Local interfaces.

    The local subnet must be routable and interfaces must have IP addresses.

  4. Click OK.

  5. Click Apply to commit the configuration.
  6. Repeat this procedure to create all the overlays.
To enable OCVPN in the CLI:
  1. Configure Branch1:
    config vpn ocvpn
        set status enable
        set multipath disable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure Branch2:
    config vpn ocvpn
        set status enable
        set multipath disable
        config overlays
             edit 1
                 set name "QA"
                 config subnets
                      edit 1
                            set type interface
                            set interface "lan1"
                      next
                 end
             next
             edit 2
                 set name "PM"
                 config subnets
                      edit 1
                            set type interface
                            set interface "lan2"
                      next
                 end
             next
        end
    end
  3. Configure Branch3:
    config vpn ocvpn
        set status enable
        set multipath disable
        config overlays
             edit 1
                 set name "QA"
                 config subnets
                     edit 1
                         set subnet 172.16.101.0 255.255.255.0
                     next
                 end
             next
             edit 1
                 set name "PM"
                 config subnets
                     edit 1
                         set subnet 172.16.102.0 255.255.255.0
                     next
                 end
             next
        end
    end