Full mesh OCVPN
Full mesh OCVPN
This topic provides an example configuration of full mesh Overlay Controller VPN (OCVPN).
OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by using the same FortiCare account.
If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is updated with Cloud assistance in self-learning mode. No intervention is required.
Full mesh IPsec tunnels are established between all FortiGates.
- Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay. l Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.
- All FortiGates must be running FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.
- Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
|Poll-interval||Used to define how often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.|
|Role||Used to specify the device OCVPN role of spoke, primary-hub, or secondary-hub.|
|Overlay||Used to define network overlays and bind to subnets.|
|Subnet||Internal network subnet (IPsec protected subnet). Traffic source from or destination to this subnet will enter IPsec tunnel encrypted by IPsec SA.|
The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.
The steps below use the following overlays and subnets for the sample configuration:
- Overlay name: QA. Local subnets: 10.1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
- Overlay name: QA. Local interfaces: lan1 l Overlay name: PM. Local interfaces: lan2
- Overlay name: QA. Local subnets: 172.16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 Before you begin, ensure all FortiGates are registered on FortiCare.
To register FortiGates on FortiCare:
- Go to System > Fortiguard > License Information > FortiCare Support.
- Select Register or Launch Portal to register.
- Complete the options to register FortiGate on FortiCare.
To enable OCVPN using the GUI:
- Go to VPN > Overlay ControllerVPN.
- Create the first overlay by setting the following options and clicking OK:
- Beside Status, click Enabled.
- Beside Role, click Spoke.
- In the Overlays section, click Create New to create a network overlay.
- In the Name box, type a name, and input the subnets and/or choose internal interfaces.
The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error message displays.
- Repeat this procedure until you create all the needed overlays.
To enable OCVPN using the CLI:
- Ensure all FortiGates are registered on FortiCare.
- Configure Branch1:
config vpn ocvpn set status enable config overlays
set name “QA” config subnets
edit 1 set subnet 10.1.100.0 255.255.255.0
next edit 2
set name “PM” config subnets
edit 1 set subnet 10.2.100.0 255.255.255.0
next end end
- Configure Branch2:
config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set type interface set interface “lan1”
next edit 2 set name “PM” config subnets edit 1 set type interface set interface “lan2”
- Configure Branch3:
config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0
next edit 1 set name “OM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Looking into implementing OCVPN. Long story short we have a mix of different FGs mostly 60D models. As far as we know these only take FortiOS upto 6.0.x with no plans to have them support 6.2.x or above. We’ve seen that OCVPN is now a licensed feature on FortiOS 6.2, but on 6.0 it wasn’t. Do you know if we can make this work with version 6.0.x thus skipping paying any license fees? Thanks.