Hub-and-Spoke Support
This version extends OCVPN to support hub-and-spoke topology in addition to full mesh support.
This feature includes support for the following:
- OCVPN portal with FortiCare SSO.
- Enforce limits for OCVPN free service.
- Define multiple overlay network using OCVPN hub-and-spoke.
- ADVPN for hub-and-spoke. The ADVPN shortcut is enabled by default.
Sample topology
OCVPN portal with FortiCare SSO
The OCVPN portal can display customer and portal information including:
- The customer OCVPN license type: free or full.
- Registered device information including:
- Device serial number.
- OCVPN role.
- Hostname.
- WAN IP address.
- Configured overlays.
You can display the OCVPN network topology in a diagram.
You can unregister OCVPN devices on the portal.
OCVPN free license limit
The current OCVPN free license limit is three devices and full mesh only.
There is currently no limit to the free licenses on the OCVPN cloud side.
Warning messages appear when the free license limit is reached. For example:
"Primary-Hub role is not supported with OCVPN free license. Please upgrade to full OCVPN license to use hub and spoke topology. object check operator error, -9999, discard the setting Command fail. Return code -9999" "OCVPN free license limit (3) has been reached. Please upgrade to full OCVPN license to register additional devices. object check operator error, -9999, discard the setting Command fail. Return code -9999"
To check the OCVPN license type, see Diagnostic commands.
OCVPN hub-and-spoke with multiple overlays with ADVPN shortcut
To configure the Spoke in the GUI:
- Go to VPN > Overlay Controller VPN and create or edit an overlay.
- For Role, select Spoke.
To configure Spoke1 OCVPN in the CLI:
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 10.1.100.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end
To configure Spoke2 OCVPN in the CLI:
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 192.168.4.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 192.168.5.0 255.255.255.0
next
end
next
end
end
To configure the Primary Hub in the GUI:
- Go to VPN > Overlay Controller VPN and create or edit an overlay.
- For Role, select Primary Hub.
To configure the Primary Hub in the CLI:
config vpn ocvpn
set status enable
set role primary-hub
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
To configure the Secondary Hub in the GUI:
- Go to VPN > Overlay Controller VPN and create or edit an overlay.
- For Role, select Secondary Hub.
To configure the Secondary Hub in the CLI:
config vpn ocvpn
set status enable
set role secondary-hub
end
Diagnostic commands
To check the OCVPN license type:
# diagnose vpn ocvpn show-meta Topology :: auto License :: full Members :: 4 Max-free :: 3
To check the OCVPN status:
# diagnose vpn ocvpn status Current State : Registered Topology : Dual-Hub-Spoke Role : Spoke Server Status : Up Registration time : Mon Mar 11 16:42:31 2019 Poll time : Mon Mar 11 16:55:53 2019 # diagnose vpn ocvpn status Current State : Registered Topology : Dual-Hub-Spoke Role : Primary-Hub Server Status : Up Registration time : Mon Mar 11 16:42:25 2019 Update time : Mon Mar 11 15:10:28 2019 Poll time : Mon Mar 11 16:55:35 2019