Hub-spoke OCVPN with ADVPN shortcut
This topic provides a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members’ information. To form a hubspoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.
License
- Free license: Hub-spoke network topology not supported.
- Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.
Prerequisites
- All FortiGates are on FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.
Restrictions
- Non-root VDOM doesn’t support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
OCVPN device roles
- Primary hub l Secondary hub l Spoke (OCVPN default role)
Sample topology
Sample Configuration
The steps below use the following overlays and subnets for the sample configuration:
- Primary hub:
- Overlay name: QA. Local subnets: 16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 l Secondary hub: l Overlays are synced from primary hub. l Spoke1:
- Overlay name: QA. Local subnets: 1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
- Spoke2:
- Overlay name: QA. Local interfaces lan1 l Overlay name: PM. Local interfaces lan2
Before you begin, ensure all FortiGates are registered on FortiCare.
To register FortiGates on FortiCare:
- Go to System > Fortiguard > License Information > FortiCare Support.
- Select either Register or Launch Portal to register.
- Complete the options to register FortiGate on FortiCare.
To enable hub-spoke OCVPN through the GUI:
- Configure the OCVPN primary hub:
- Go to VPN > Overlay ControllerVPN.
- Enable Overlay ControllerVPN and select Primary Hub as the role.
- In the Overlays section, select Create New to create a network overlay.
- Enter a name and the subnets and/or internal interfaces, then select OK.
- Select Apply to commit the configuration.
- Configure the OCVPN secondary hub:
Overlays are synced from the primary hub and cannot be defined in the secondary hub. a. Go to VPN > Overlay ControllerVPN.
- Enable Overlay ControllerVPN and select Secondary Hub as the role.
- Select Apply to commit the configuration.
- Configure the OCVPN spokes:
- Go to VPN > Overlay ControllerVPN.
- Enable Overlay ControllerVPN and select Spoke as the role.
- In the Overlays section, select Create New to create a network overlay.
- Enter a name and the subnets and/or internal interfaces, then select OK.
The local subnet must be routable and the interface must have an IP address assigned, otherwise an error message appears.
- Select Apply to commit the configuration.
To enable hub-spoke OCVPN through the CLI:
- Configure the OCVPN primary hub:
config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0
next
end
next edit 2 set name “PM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
- Configure the OCVPN secondary hub:
config vpn ocvpn set status enable set role secondary-hub
end
- Configure the OCVPN spoke1:
config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0
next
end
next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end
- Configure the OCVPN spoke2:
config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0
next
end
next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0
next
end
next
end
end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Which one better OCVPN or ADVPN
I like ADVPN because it does not require any additional licensing for various sizes.
Does OCVPN support SDWAN?