Full mesh OCVPN
This example shows how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.
License
- Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
- Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.
Prerequisites
- All FortiGates must be running FortiOS 6.2.0 or later.
- All FortiGates must have Internet access.
- All FortiGates must be registered on FortiCare using the same FortiCare account.
Restrictions
- Non-root VDOMs do not support OCVPN.
- FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
Terminology
Poll-interval |
How often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud. |
Role |
The device OCVPN role of spoke, primary-hub, or secondary-hub. |
Overlay |
Defines network overlays and bind to subnets. |
Subnet |
Internal network subnet (IPsec protected subnet). Traffic to or from this subnet enters the IPsec tunnel encrypted by IPsec SA. |
Sample topology
The following example shows three FortiGate units registered on FortiCare using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between the units.
Sample configuration
The following overlays and subnets are used:
- Branch1:
- Overlay name: QA. Local subnets: 10.1.100.0/24
- Overlay name: PM. Local subnets: 10.2.100.0/24
- Branch2:
- Overlay name: QA. Local interfaces: lan1
- Overlay name: PM. Local interfaces: lan2
- Branch3:
- Overlay name: QA. Local subnets: 172.16.101.0/24
- Overlay name: PM. Local subnets: 172.16.102.0/24
The overlay names on each device must be the same for local and remote selector pairs to be negotiated. |
To register FortiGates on FortiCare:
- Go to System > FortiGuard > License Information > FortiCare Support.
- To register, click Register or Launch Portal.
- Complete the options to register FortiGate on FortiCare.
To enable OCVPN using the GUI:
- Go to VPN > Overlay Controller VPN.
- Create the first overlay by setting the following options:
- For Status, click Enabled.
- For Role, click Spoke.
- In the Overlays section, click Create New to create a network overlay.
- Specify the Name, Local subnets, and/or Local interfaces.
The local subnet must be routable and interfaces must have IP addresses.
- Click OK.
- Click Apply to commit the configuration.
- Repeat this procedure to create all the overlays.
To enable OCVPN using the CLI:
- Configure Branch1:
config vpn ocvpn set status enable config overlays edit 1 set name "QA" config subnets edit 1 set subnet 10.1.100.0 255.255.255.0 next end next edit 2 set name "PM" config subnets edit 1 set subnet 10.2.100.0 255.255.255.0 next end next end end
- Configure Branch2:
config vpn ocvpn set status enable config overlays edit 1 set name "QA" config subnets edit 1 set type interface set interface "lan1" next end next edit 2 set name "PM" config subnets edit 1 set type interface set interface "lan2" next end next end end
- Configure Branch3:
config vpn ocvpn set status enable config overlays edit 1 set name "QA" config subnets edit 1 set subnet 172.16.101.0 255.255.255.0 next end next edit 1 set name "PM" config subnets edit 1 set subnet 172.16.102.0 255.255.255.0 next end next end end