Description
This article describes how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.
Scope
For version 6.2.4.
Solution
License.
1) Free license: Three units full mesh, 10 overlays, 16 subnets per overlay.
2) Full License: Maximum of 16 units, 10 overlays, 16 subnets per overlay.
Prerequisites.
1) All FortiGates have to run with FortiOS 6.2.0 or later.
2) All FortiGates need Internet access.
3) All FortiGates have to be registered on FortiCare using the same FortiCare account.
Restrictions.
1) Non-root VDOMs do not support OCVPN.
2) FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
Terminology.
Poll-interval: how often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.
Role: the unitOCVPN role of spoke, primary-hub, or secondary-hub.
Overlay: defines network overlays and bind to subnets.
Sample topology.
The following example shows three FortiGate units registered on FortiCare using the same FortiCare account.
Each FortiGate unit has one internal subnet, and no NAT exists between the units.
This article describes how to configure a full mesh Overlay Controller VPN (OCVPN), establishing full mesh IPsec tunnels between all of the FortiGates.
Scope
For version 6.2.4.
Solution
License.
1) Free license: Three units full mesh, 10 overlays, 16 subnets per overlay.
2) Full License: Maximum of 16 units, 10 overlays, 16 subnets per overlay.
Prerequisites.
1) All FortiGates have to run with FortiOS 6.2.0 or later.
2) All FortiGates need Internet access.
3) All FortiGates have to be registered on FortiCare using the same FortiCare account.
Restrictions.
1) Non-root VDOMs do not support OCVPN.
2) FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
Terminology.
Poll-interval: how often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.
Role: the unitOCVPN role of spoke, primary-hub, or secondary-hub.
Overlay: defines network overlays and bind to subnets.
Sample topology.
The following example shows three FortiGate units registered on FortiCare using the same FortiCare account.
Each FortiGate unit has one internal subnet, and no NAT exists between the units.
Sample configuration.
The following overlays and subnets are used:
Branch1.
1) Overlay name: QA. Local subnets: 10.1.100.0/24
2) Overlay name: PM. Local subnets: 10.2.100.0/24
Branch2.
1) Overlay name: QA. Local interfaces: lan1
2) Overlay name: PM. Local interfaces: lan2
Branch3.
1) Overlay name: QA. Local subnets: 172.16.101.0/24
2) Overlay name: PM. Local subnets: 172.16.102.0/24
Note: The overlay names on each unit has to be the same for local and remote selector pairs to be negotiated.
To register FortiGates on FortiCare:
- Go to System -> FortiGuard -> License Information -> FortiCare Support.
- To register, select 'Register or Launch Portal'.
- Complete the options to register FortiGate on FortiCare.
To Enable OCVPN from the GUI.
- Go to VPN -> Overlay Controller VPN.
- Create the first overlay by setting the following options:
The following overlays and subnets are used:
Branch1.
1) Overlay name: QA. Local subnets: 10.1.100.0/24
2) Overlay name: PM. Local subnets: 10.2.100.0/24
Branch2.
1) Overlay name: QA. Local interfaces: lan1
2) Overlay name: PM. Local interfaces: lan2
Branch3.
1) Overlay name: QA. Local subnets: 172.16.101.0/24
2) Overlay name: PM. Local subnets: 172.16.102.0/24
Note: The overlay names on each unit has to be the same for local and remote selector pairs to be negotiated.
To register FortiGates on FortiCare:
- Go to System -> FortiGuard -> License Information -> FortiCare Support.
- To register, select 'Register or Launch Portal'.
- Complete the options to register FortiGate on FortiCare.
To Enable OCVPN from the GUI.
- Go to VPN -> Overlay Controller VPN.
- Create the first overlay by setting the following options:
- For Status, click Enabled.
- For Role, click Spoke.
- In the Overlays section, click Create New to create a network overlay.
- Specify the Name, Local subnets, and/or Local interfaces.The local subnet has to be routable and interfaces need IP addresses.
- Select 'OK'.
- Select 'OK'.
- Select 'Apply' to commit the configuration.
- Repeat this procedure to create all the overlays.
To enable OCVPN fro the CLI.
Configure Branch1.
- Repeat this procedure to create all the overlays.
To enable OCVPN fro the CLI.
Configure Branch1.
# config vpn ocvpnConfigure Branch2.
set status enable
# config overlays
edit 1
set name "QA"
# config subnets
edit 1
set subnet 10.1.100.0 255.255.255.0
next
end
next
edit 2
set name "PM"
# config subnets
edit 1
set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end
# config vpn ocvpnConfigure Branch3.
set status enable
# config overlays
edit 1
set name "QA"
# config subnets
edit 1
set type interface
set interface "lan1"
next
end
next
edit 2
set name "PM"
# config subnets
edit 1
set type interface
set interface "lan2"
next
end
next
end
end
# config vpn ocvpn
set status enable
# config overlays
edit 1
set name "QA"
# config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 1
set name "PM"
# config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
