Fortinet white logo
Fortinet white logo

CLI Reference

config vpn ocvpn

config vpn ocvpn

Configure Overlay Controller VPN settings.

config vpn ocvpn
    Description: Configure Overlay Controller VPN settings.
    set auto-discovery [enable|disable]
    set auto-discovery-shortcut-mode [independent|dependent]
    set eap [enable|disable]
    set eap-users {string}
    config forticlient-access
        Description: Configure FortiClient settings.
        config auth-groups
            Description: FortiClient user authentication groups.
            edit <name>
                set auth-group {string}
                set overlays <overlay-name1>, <overlay-name2>, ...
            next
        end
        set psksecret {password-3}
        set status [enable|disable]
    end
    set ip-allocation-block {ipv4-classnet-any}
    set multipath [enable|disable]
    set nat [enable|disable]
    config overlays
        Description: Network overlays to register with Overlay Controller VPN service.
        edit <overlay-name>
            set inter-overlay [allow|deny]
            config subnets
                Description: Internal subnets to register with OCVPN service.
                edit <id>
                    set interface {string}
                    set subnet {ipv4-classnet-any}
                    set type [subnet|interface]
                next
            end
        next
    end
    set poll-interval {integer}
    set role [spoke|primary-hub|...]
    set sdwan [enable|disable]
    set sdwan-zone {string}
    set status [enable|disable]
    set wan-interface <name1>, <name2>, ...
end

config vpn ocvpn

Parameter

Description

Type

Size

Default

auto-discovery

Enable/disable auto-discovery shortcuts.

option

-

enable

Option

Description

enable

Enable ADVPN auto-discovery shortcuts.

disable

Disable ADVPN auto-discovery shortcuts.

auto-discovery-shortcut-mode

Control deletion of child short-cut tunnels when the parent tunnel goes down.

option

-

independent

Option

Description

independent

Short-cut tunnels remain up if the parent tunnel goes down.

dependent

Short-cut tunnels are brought down if the parent tunnel goes down.

eap

Enable/disable EAP client authentication.

option

-

disable

Option

Description

enable

Enable EAP client authentication.

disable

Disable EAP client authentication.

eap-users

EAP authentication user group.

string

Maximum length: 35

ip-allocation-block

Class B subnet reserved for private IP address assignment.

ipv4-classnet-any

Not Specified

10.254.0.0 255.255.0.0

multipath

Enable/disable multipath redundancy.

option

-

enable

Option

Description

enable

Enable multipath redundancy.

disable

Disable multipath redundancy.

nat

Enable/disable NAT support.

option

-

enable

Option

Description

enable

Enable NAT support.

disable

Disable NAT support.

poll-interval

Overlay Controller VPN polling interval.

integer

Minimum value: 30 Maximum value: 120

30

role

Set device role.

option

-

spoke

Option

Description

spoke

Register device as static spoke.

primary-hub

Register device as primary hub.

secondary-hub

Register device as secondary hub.

sdwan

Enable/disable adding OCVPN tunnels to SD-WAN.

option

-

disable

Option

Description

enable

Enable adding OCVPN tunnels to SD-WAN.

disable

Disable adding OCVPN tunnels to SD-WAN.

sdwan-zone

Set SD-WAN zone.

string

Maximum length: 35

virtual-wan-link

status

Enable/disable Overlay Controller cloud assisted VPN.

option

-

disable

Option

Description

enable

Enable Overlay Controller VPN.

disable

Disable Overlay Controller VPN.

wan-interface <name>

FortiGate WAN interfaces to use with OCVPN.

Interface name.

string

Maximum length: 79

config forticlient-access

Parameter

Description

Type

Size

Default

psksecret

Pre-shared secret for FortiClient PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

status

Enable/disable FortiClient to access OCVPN networks.

option

-

disable

Option

Description

enable

Enable FortiClient access to OCVPN overlays.

disable

Disable FortiClient access to OCVPN overlays.

config auth-groups

Parameter

Description

Type

Size

Default

auth-group

Authentication user group for FortiClient access.

string

Maximum length: 35

name

Group name.

string

Maximum length: 35

overlays <overlay-name>

OCVPN overlays to allow access to.

Overlay name.

string

Maximum length: 79

config overlays

Parameter

Description

Type

Size

Default

inter-overlay

Allow or deny traffic from other overlays.

option

-

deny

Option

Description

allow

Allow traffic from other overlays.

deny

Deny traffic from other overlays.

overlay-name

Overlay name.

string

Maximum length: 63

config subnets

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

interface

LAN interface.

string

Maximum length: 15

subnet

IPv4 address and subnet mask.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

type

Subnet type.

option

-

subnet

Option

Description

subnet

Configure participating subnet IP and mask.

interface

Configure participating LAN interface.

config vpn ocvpn

config vpn ocvpn

Configure Overlay Controller VPN settings.

config vpn ocvpn
    Description: Configure Overlay Controller VPN settings.
    set auto-discovery [enable|disable]
    set auto-discovery-shortcut-mode [independent|dependent]
    set eap [enable|disable]
    set eap-users {string}
    config forticlient-access
        Description: Configure FortiClient settings.
        config auth-groups
            Description: FortiClient user authentication groups.
            edit <name>
                set auth-group {string}
                set overlays <overlay-name1>, <overlay-name2>, ...
            next
        end
        set psksecret {password-3}
        set status [enable|disable]
    end
    set ip-allocation-block {ipv4-classnet-any}
    set multipath [enable|disable]
    set nat [enable|disable]
    config overlays
        Description: Network overlays to register with Overlay Controller VPN service.
        edit <overlay-name>
            set inter-overlay [allow|deny]
            config subnets
                Description: Internal subnets to register with OCVPN service.
                edit <id>
                    set interface {string}
                    set subnet {ipv4-classnet-any}
                    set type [subnet|interface]
                next
            end
        next
    end
    set poll-interval {integer}
    set role [spoke|primary-hub|...]
    set sdwan [enable|disable]
    set sdwan-zone {string}
    set status [enable|disable]
    set wan-interface <name1>, <name2>, ...
end

config vpn ocvpn

Parameter

Description

Type

Size

Default

auto-discovery

Enable/disable auto-discovery shortcuts.

option

-

enable

Option

Description

enable

Enable ADVPN auto-discovery shortcuts.

disable

Disable ADVPN auto-discovery shortcuts.

auto-discovery-shortcut-mode

Control deletion of child short-cut tunnels when the parent tunnel goes down.

option

-

independent

Option

Description

independent

Short-cut tunnels remain up if the parent tunnel goes down.

dependent

Short-cut tunnels are brought down if the parent tunnel goes down.

eap

Enable/disable EAP client authentication.

option

-

disable

Option

Description

enable

Enable EAP client authentication.

disable

Disable EAP client authentication.

eap-users

EAP authentication user group.

string

Maximum length: 35

ip-allocation-block

Class B subnet reserved for private IP address assignment.

ipv4-classnet-any

Not Specified

10.254.0.0 255.255.0.0

multipath

Enable/disable multipath redundancy.

option

-

enable

Option

Description

enable

Enable multipath redundancy.

disable

Disable multipath redundancy.

nat

Enable/disable NAT support.

option

-

enable

Option

Description

enable

Enable NAT support.

disable

Disable NAT support.

poll-interval

Overlay Controller VPN polling interval.

integer

Minimum value: 30 Maximum value: 120

30

role

Set device role.

option

-

spoke

Option

Description

spoke

Register device as static spoke.

primary-hub

Register device as primary hub.

secondary-hub

Register device as secondary hub.

sdwan

Enable/disable adding OCVPN tunnels to SD-WAN.

option

-

disable

Option

Description

enable

Enable adding OCVPN tunnels to SD-WAN.

disable

Disable adding OCVPN tunnels to SD-WAN.

sdwan-zone

Set SD-WAN zone.

string

Maximum length: 35

virtual-wan-link

status

Enable/disable Overlay Controller cloud assisted VPN.

option

-

disable

Option

Description

enable

Enable Overlay Controller VPN.

disable

Disable Overlay Controller VPN.

wan-interface <name>

FortiGate WAN interfaces to use with OCVPN.

Interface name.

string

Maximum length: 79

config forticlient-access

Parameter

Description

Type

Size

Default

psksecret

Pre-shared secret for FortiClient PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

status

Enable/disable FortiClient to access OCVPN networks.

option

-

disable

Option

Description

enable

Enable FortiClient access to OCVPN overlays.

disable

Disable FortiClient access to OCVPN overlays.

config auth-groups

Parameter

Description

Type

Size

Default

auth-group

Authentication user group for FortiClient access.

string

Maximum length: 35

name

Group name.

string

Maximum length: 35

overlays <overlay-name>

OCVPN overlays to allow access to.

Overlay name.

string

Maximum length: 79

config overlays

Parameter

Description

Type

Size

Default

inter-overlay

Allow or deny traffic from other overlays.

option

-

deny

Option

Description

allow

Allow traffic from other overlays.

deny

Deny traffic from other overlays.

overlay-name

Overlay name.

string

Maximum length: 63

config subnets

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

interface

LAN interface.

string

Maximum length: 15

subnet

IPv4 address and subnet mask.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

type

Subnet type.

option

-

subnet

Option

Description

subnet

Configure participating subnet IP and mask.

interface

Configure participating LAN interface.