Technical Tip: How to create Full mesh OCVPN
Description
This article delves into the intricacies of setting up a full mesh OCVPN in an environment operating with both FortiOS 6.2 and FortiOS 6.4, ensuring seamless connectivity and security across the network.
Scope
- Free license: Three units full mesh, 10 overlays, 16 subnets per overlay.
- Full License: Maximum of 16 units, 10 overlays, 16 subnets per overlay.
- The overlay names on each unit must be the same for local and remote selector pairs to be negotiated.
- Once the OCVPN is configured, the associated IPsec VPN tunnel, Phase1 and Phase2 interfaces, IPv4 firewall policies and static routes are automatically created.
Overview:
As network environments evolve and grow, it's not uncommon for administrators to encounter scenarios where different devices operate on various firmware versions.
One such situation is when FortiGates within a topology runs on both FortiOS 6.2 and FortiOS 6.4.
This might arise during phased upgrade strategies, or when integrating new and legacy equipment.
A pivotal feature available on FortiOS is the Overlay Controller VPN (OCVPN), which provides a simplified way to establish a full mesh VPN between FortiGate devices. However, configuring OCVPN amidst this mixed-version landscape can present unique challenges.
Solution
Topology.
The following topology shows three FortiGate units registered on FortiCare using the same FortiCare account.
Each FortiGate unit has one internal subnet, and no NAT exists between the units.
To enable OCVPN using the CLI.
Configure KL FortiGate.
set status enable
set multipath disable
# config overlays
edit "1"
# config subnets
edit 1
set subnet 10.81.0.0 255.255.252.0
next
end
next
end
end
set status enable
# config overlays
edit 1
set name "1"
# config subnets
edit 1
set subnet 10.91.0.0 255.255.240.0
next
end
next
end
end
set status enable
# config overlays
edit 1
set name "1"
# config subnets
edit 1
set subnet 10.92.0.0 255.255.240.0
next
end
next
end
end
KL FortiGate – verification from GUI.
