Fortinet black logo

Cookbook

Hub-spoke OCVPN with inter-overlay source NAT

Copy Link
Copy Doc ID 3c219ad1-1ba7-11ea-9384-00505692583a:470075
Download PDF

Hub-spoke OCVPN with inter-overlay source NAT

This topic shows a sample configuration of hub-spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on spokes and assign-ip enabled on hub, you can have inter-overlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays' subnets when the overlay option assign-ip is enabled.

You must first disable auto-discovery before you can enable NAT.

License

  • Free license: Hub-spoke network topology not supported.
  • Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub.
  • Secondary hub.
  • Spoke (OCVPN default role).

Sample topology

Sample configuration

You can only configure this feature using the CLI.

To enable inter-overlay source NAT using the CLI:
  1. Configure the primary hub, enable overlay QA, and configure assign-ip and IP range:
    config vpn ocvpn
        set status enable
        set role primary-hub
        config overlays
            edit 1
                set name "QA"
                set assign-ip enable
                set ipv4-start-ip 172.16.101.100
                set ipv4-end-ip 172.16.101.200
                config subnets
                    edit 1
                        set subnet 172.16.101.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                set assign-ip enable
                config subnets
                    edit 1
                        set subnet 172.16.102.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure the secondary hub:
    config vpn ocvpn
        set status enable
        set role secondary-hub
    end
  3. Configure spoke1 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  4. Configure spoke2 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 192.168.4.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 192.168.5.0 255.255.255.0
                    next
                end
            next
        end
    end
    

    A firewall policy with NAT is generated on the spoke:

    edit 9
       set name "_OCVPN2-1.1_nat"
       set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
       set srcintf "any"
       set dstintf "_OCVPN2-1.1"
       set srcaddr "all"
       set dstaddr "_OCVPN2-1.1_remote_networks"
       set action accept
       set schedule "always"
       set service "ALL"
       set comments "Generated by OCVPN Cloud Service."
       set nat enable
    next

Hub-spoke OCVPN with inter-overlay source NAT

This topic shows a sample configuration of hub-spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on spokes and assign-ip enabled on hub, you can have inter-overlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays' subnets when the overlay option assign-ip is enabled.

You must first disable auto-discovery before you can enable NAT.

License

  • Free license: Hub-spoke network topology not supported.
  • Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS 6.2.0 or later.
  • All FortiGates must have Internet access.
  • All FortiGates must be registered on FortiCare using the same FortiCare account.

Restrictions

  • Non-root VDOMs do not support OCVPN.
  • FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub.
  • Secondary hub.
  • Spoke (OCVPN default role).

Sample topology

Sample configuration

You can only configure this feature using the CLI.

To enable inter-overlay source NAT using the CLI:
  1. Configure the primary hub, enable overlay QA, and configure assign-ip and IP range:
    config vpn ocvpn
        set status enable
        set role primary-hub
        config overlays
            edit 1
                set name "QA"
                set assign-ip enable
                set ipv4-start-ip 172.16.101.100
                set ipv4-end-ip 172.16.101.200
                config subnets
                    edit 1
                        set subnet 172.16.101.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                set assign-ip enable
                config subnets
                    edit 1
                        set subnet 172.16.102.0 255.255.255.0
                    next
                end
            next
        end
    end
  2. Configure the secondary hub:
    config vpn ocvpn
        set status enable
        set role secondary-hub
    end
  3. Configure spoke1 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 10.1.100.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 10.2.100.0 255.255.255.0
                    next
                end
            next
        end
    end
  4. Configure spoke2 and enable NAT on the spoke:
    config vpn ocvpn
        set status enable
        set auto-discovery disable
        set nat enable
        config overlays
            edit 1
                set name "QA"
                config subnets
                    edit 1
                        set subnet 192.168.4.0 255.255.255.0
                    next
                end
            next
            edit 2
                set name "PM"
                config subnets
                    edit 1
                        set subnet 192.168.5.0 255.255.255.0
                    next
                end
            next
        end
    end
    

    A firewall policy with NAT is generated on the spoke:

    edit 9
       set name "_OCVPN2-1.1_nat"
       set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
       set srcintf "any"
       set dstintf "_OCVPN2-1.1"
       set srcaddr "all"
       set dstaddr "_OCVPN2-1.1_remote_networks"
       set action accept
       set schedule "always"
       set service "ALL"
       set comments "Generated by OCVPN Cloud Service."
       set nat enable
    next