Fortinet Document Library

Version:

7.0.3
7.0.2
7.0.1

Version:

7.0.0
6.4.8
6.4.7

Version:

6.4.6
6.4.5
6.4.4

Version:

6.4.3
6.4.2
6.4.1

Version:

6.4.0

Table of Contents

Administration Guide

7.0.1
7.0.3
7.0.2
7.0.1
7.0.0
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Download PDF
Copy Link

Full mesh OCVPN

This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
  • Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval

How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.

Role

The device OCVPN role of spoke, primary-hub, or secondary-hub.

Overlay

Defines network overlays and bind to subnets.

Subnet

Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA.

Sample topology

The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.

Sample configuration

The following overlays and subnets are used:

  • Branch1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
  • Branch3:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.
To register FortiGates on FortiCare:
  1. Go to System > FortiGuard.
  2. In the License Information section, click Login to FortiCare. The registration pane opens.

  3. Enter the required information (email address, password, country/region, reseller).

  4. Optionally, enable Sign in to FortiGate Cloud using the same account.

  5. Click OK.
To enable OCVPN in the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Create the first overlay by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.

  3. Specify the Name, Local subnets, and/or Local interfaces.

    The local subnet must be routable and interfaces must have IP addresses.

  4. Click OK.

  5. Click Apply to commit the configuration.
  6. Repeat this procedure to create all the overlays.
To enable OCVPN in the CLI:
  1. Configure Branch1:
    config vpn ocvpn
    set status enable
    set multipath disable
    config overlays
        edit 1
            set name "QA"
            config subnets
                edit 1
                    set subnet 10.1.100.0 255.255.255.0
                next
            end
        next
        edit 2
            set name "PM"
            config subnets
                edit 1
                    set subnet 10.2.100.0 255.255.255.0
                next
            end
        next
    end
end
  2. Configure Branch2: 
    config vpn ocvpn
    set status enable
    set multipath disable
    config overlays
         edit 1
             set name "QA"
             config subnets
                  edit 1
                        set type interface
                        set interface "lan1"
                  next
             end
         next
         edit 2
             set name "PM"
             config subnets
                  edit 1
                        set type interface
                        set interface "lan2"
                  next
             end
         next
    end
end
  3. Configure Branch3:
    config vpn ocvpn
    set status enable
    set multipath disable
    config overlays
         edit 1
             set name "QA"
             config subnets
                 edit 1
                     set subnet 172.16.101.0 255.255.255.0
                 next
             end
         next
         edit 1
             set name "PM"
             config subnets
                 edit 1
                     set subnet 172.16.102.0 255.255.255.0
                 next
             end
         next
    end
end

Full mesh OCVPN

This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
  • Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval

How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.

Role

The device OCVPN role of spoke, primary-hub, or secondary-hub.

Overlay

Defines network overlays and bind to subnets.

Subnet

Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA.

Sample topology

The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.

Sample configuration

The following overlays and subnets are used:

  • Branch1:
    • Overlay name: QA. Local subnets: 10.1.100.0/24
    • Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
    • Overlay name: QA. Local interfaces: lan1
    • Overlay name: PM. Local interfaces: lan2
  • Branch3:
    • Overlay name: QA. Local subnets: 172.16.101.0/24
    • Overlay name: PM. Local subnets: 172.16.102.0/24
Caution

The overlay names on each device must be the same for local and remote selector pairs to be negotiated.
To register FortiGates on FortiCare:
  1. Go to System > FortiGuard.
  2. In the License Information section, click Login to FortiCare. The registration pane opens.

  3. Enter the required information (email address, password, country/region, reseller).

  4. Optionally, enable Sign in to FortiGate Cloud using the same account.

  5. Click OK.
To enable OCVPN in the GUI:
  1. Go to VPN > Overlay Controller VPN.
  2. Create the first overlay by setting the following options:
    1. For Status, click Enabled.
    2. For Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.

  3. Specify the Name, Local subnets, and/or Local interfaces.

    The local subnet must be routable and interfaces must have IP addresses.

  4. Click OK.

  5. Click Apply to commit the configuration.
  6. Repeat this procedure to create all the overlays.
To enable OCVPN in the CLI:
  1. Configure Branch1:
    config vpn ocvpn
    set status enable
    set multipath disable
    config overlays
        edit 1
            set name "QA"
            config subnets
                edit 1
                    set subnet 10.1.100.0 255.255.255.0
                next
            end
        next
        edit 2
            set name "PM"
            config subnets
                edit 1
                    set subnet 10.2.100.0 255.255.255.0
                next
            end
        next
    end
end
  2. Configure Branch2: 
    config vpn ocvpn
    set status enable
    set multipath disable
    config overlays
         edit 1
             set name "QA"
             config subnets
                  edit 1
                        set type interface
                        set interface "lan1"
                  next
             end
         next
         edit 2
             set name "PM"
             config subnets
                  edit 1
                        set type interface
                        set interface "lan2"
                  next
             end
         next
    end
end
  3. Configure Branch3:
    config vpn ocvpn
    set status enable
    set multipath disable
    config overlays
         edit 1
             set name "QA"
             config subnets
                 edit 1
                     set subnet 172.16.101.0 255.255.255.0
                 next
             end
         next
         edit 1
             set name "PM"
             config subnets
                 edit 1
                     set subnet 172.16.102.0 255.255.255.0
                 next
             end
         next
    end
end