Full mesh OCVPN

Full mesh OCVPN

This topic provides an example configuration of full mesh Overlay Controller VPN (OCVPN).

OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by using the same FortiCare account.

If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is updated with Cloud assistance in self-learning mode. No intervention is required.

Full mesh IPsec tunnels are established between all FortiGates.

License

• Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay. l Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

• All FortiGates must be running FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

• Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Sample Topology

The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.

Sample configuration

The steps below use the following overlays and subnets for the sample configuration:

• Branch1:
• Overlay name: QA. Local subnets: 10.1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
• Branch2:
• Overlay name: QA. Local interfaces: lan1 l Overlay name: PM. Local interfaces: lan2
• Branch3:
• Overlay name: QA. Local subnets: 172.16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

1. Go to System > Fortiguard > License Information > FortiCare Support.
2. Select Register or Launch Portal to register.
3. Complete the options to register FortiGate on FortiCare.

To enable OCVPN using the GUI:

1. Go to VPN > Overlay ControllerVPN.
2. Create the first overlay by setting the following options and clicking OK:
   1. Beside Status, click Enabled.
   2. Beside Role, click Spoke.
   3. In the Overlays section, click Create New to create a network overlay.
   4. In the Name box, type a name, and input the subnets and/or choose internal interfaces.

The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error message displays.

3. Repeat this procedure until you create all the needed overlays.

To enable OCVPN using the CLI:

1. Ensure all FortiGates are registered on FortiCare.
2. Configure Branch1:

config vpn ocvpn set status enable config overlays

edit 1

set name “QA” config subnets

edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2

set name “PM” config subnets

edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next end end

3. Configure Branch2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set type interface set interface “lan1”

next

end

next edit 2 set name “PM” config subnets edit 1 set type interface set interface “lan2”

next

end

next

end

end

4. Configure Branch3:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 1 set name “OM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end