Hub-spoke OCVPN with ADVPN shortcut
This topic shows a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members' information. To form a hub-spoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.
License
- Free license: Hub-spoke network topology not supported.
- Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 1024 spokes, 10 overlays, 16 subnets per overlay.
Prerequisites
- All FortiGates must be running FortiOS 6.2.0 or later.
- All FortiGates must have Internet access.
- All FortiGates must be registered on FortiCare using the same FortiCare account.
Restrictions
- Non-root VDOMs do not support OCVPN.
- FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
OCVPN device roles
- Primary hub.
- Secondary hub.
- Spoke (OCVPN default role).
Sample topology
Sample configuration
The steps below use the following overlays and subnets for the sample configuration:
- Primary hub:
- Overlay name: QA. Local subnets: 172.16.101.0/24
- Overlay name: PM. Local subnets: 172.16.102.0/24
- Secondary hub:
- Overlays are synced from primary hub.
- Spoke1:
- Overlay name: QA. Local subnets: 10.1.100.0/24
- Overlay name: PM. Local subnets: 10.2.100.0/24
- Spoke2:
- Overlay name: QA. Local interfaces: lan1
- Overlay name: PM. Local interfaces: lan2
The overlay names on each device must be the same for local and remote selector pairs to be negotiated. |
To register FortiGates on FortiCare:
- Go to System > FortiGuard > License Information > FortiCare Support.
- To register, click Register or Launch Portal.
- Complete the options to register FortiGate on FortiCare.
To enable hub-spoke OCVPN in the GUI:
- Go to VPN > Overlay Controller VPN.
- Configure the OCVPN primary hub by setting the following options:
- For Status, click Enabled.
- For Role, click Primary Hub.
- In the Overlays section, click Create New to create a network overlay.
- Specify the Name, Local subnets, and/or Local interfaces. Then click OK.
- Click Apply to commit the configuration.
- Configure the OCVPN secondary hub:
Overlays are synced from the primary hub and cannot be defined in the secondary hub.
- In the Overlay Controller VPN pane, select Secondary Hub for the Role.
- Select Apply to commit the configuration.
- Configure the OCVPN spokes:
- In the Overlay Controller VPN pane, select Spoke for the Role.
- In the Overlays section, click Create New to create a network overlay.
- Specify the Name, Local subnets, and/or Local interfaces.
The local subnet must be routable and interfaces must have IP addresses. - Click OK and then click Apply to commit the configuration.
To enable hub-spoke OCVPN in the CLI:
- Configure the OCVPN primary hub:
config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name "QA" config subnets edit 1 set subnet 172.16.101.0 255.255.255.0 next end next edit 2 set name "PM" config subnets edit 1 set subnet 172.16.102.0 255.255.255.0 next end next end end
- Configure the OCVPN secondary hub:
config vpn ocvpn set status enable set role secondary-hub end
- Configure the OCVPN spoke1:
config vpn ocvpn set status enable config overlays edit 1 set name "QA" config subnets edit 1 set subnet 10.1.100.0 255.255.255.0 next end next edit 2 set name "PM" config subnets edit 1 set subnet 10.2.100.0 255.255.255.0 next end next end end
- Configure the OCVPN spoke2:
config vpn ocvpn set status enable config overlays edit 1 set name "QA" config subnets edit 1 set subnet 192.168.4.0 255.255.255.0 next end next edit 2 set name "PM" config subnets edit 1 set subnet 192.168.5.0 255.255.255.0 next end next end end