Full mesh OCVPN

Full mesh OCVPN

This topic provides an example configuration of full mesh Overlay Controller VPN (OCVPN).

OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by using the same FortiCare account.

If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is updated with Cloud assistance in self-learning mode. No intervention is required.

Full mesh IPsec tunnels are established between all FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay. l Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

  • Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval Used to define how often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.
Role Used to specify the device OCVPN role of spoke, primary-hub, or secondary-hub.
Overlay Used to define network overlays and bind to subnets.
Subnet Internal network subnet (IPsec protected subnet). Traffic source from or destination to this subnet will enter IPsec tunnel encrypted by IPsec SA.

Sample Topology

The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.

Sample configuration

The steps below use the following overlays and subnets for the sample configuration:

  • Branch1:
  • Overlay name: QA. Local subnets: 10.1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
  • Overlay name: QA. Local interfaces: lan1 l Overlay name: PM. Local interfaces: lan2
  • Branch3:
  • Overlay name: QA. Local subnets: 172.16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

  1. Go to System > Fortiguard > License Information > FortiCare Support.
  2. Select Register or Launch Portal to register.
  3. Complete the options to register FortiGate on FortiCare.

To enable OCVPN using the GUI:

  1. Go to VPN > Overlay ControllerVPN.
  2. Create the first overlay by setting the following options and clicking OK:
    1. Beside Status, click Enabled.
    2. Beside Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.
    4. In the Name box, type a name, and input the subnets and/or choose internal interfaces.

The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error message displays.

  1. Repeat this procedure until you create all the needed overlays.

To enable OCVPN using the CLI:

  1. Ensure all FortiGates are registered on FortiCare.
  2. Configure Branch1:

config vpn ocvpn set status enable config overlays

edit 1

set name “QA” config subnets

edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2

set name “PM” config subnets

edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next end end

  1. Configure Branch2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set type interface set interface “lan1”

next

end

next edit 2 set name “PM” config subnets edit 1 set type interface set interface “lan2”

next

end

next

end

end

  1. Configure Branch3:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 1 set name “OM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Full mesh OCVPN

  1. Jose

    Looking into implementing OCVPN. Long story short we have a mix of different FGs mostly 60D models. As far as we know these only take FortiOS upto 6.0.x with no plans to have them support 6.2.x or above. We’ve seen that OCVPN is now a licensed feature on FortiOS 6.2, but on 6.0 it wasn’t. Do you know if we can make this work with version 6.0.x thus skipping paying any license fees? Thanks.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.