Hub-spoke OCVPN with ADVPN shortcut

Hub-spoke OCVPN with ADVPN shortcut

This topic provides a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members’ information. To form a hubspoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.

License

• Free license: Hub-spoke network topology not supported.
• Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

• All FortiGates are on FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

• Non-root VDOM doesn’t support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

• Primary hub l Secondary hub l Spoke (OCVPN default role)

Sample topology

Sample Configuration

The steps below use the following overlays and subnets for the sample configuration:

• Primary hub:
• Overlay name: QA. Local subnets: 16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 l Secondary hub: l Overlays are synced from primary hub. l Spoke1:
• Overlay name: QA. Local subnets: 1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
• Spoke2:
• Overlay name: QA. Local interfaces lan1 l Overlay name: PM. Local interfaces lan2

Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

1. Go to System > Fortiguard > License Information > FortiCare Support.
2. Select either Register or Launch Portal to register.
3. Complete the options to register FortiGate on FortiCare.

To enable hub-spoke OCVPN through the GUI:

1. Configure the OCVPN primary hub:
   1. Go to VPN > Overlay ControllerVPN.
   2. Enable Overlay ControllerVPN and select Primary Hub as the role.
   3. In the Overlays section, select Create New to create a network overlay.
   4. Enter a name and the subnets and/or internal interfaces, then select OK.
   5. Select Apply to commit the configuration.
2. Configure the OCVPN secondary hub:

Overlays are synced from the primary hub and cannot be defined in the secondary hub. a. Go to VPN > Overlay ControllerVPN.

1. Enable Overlay ControllerVPN and select Secondary Hub as the role.
2. Select Apply to commit the configuration.

3. Configure the OCVPN spokes:
   1. Go to VPN > Overlay ControllerVPN.
   2. Enable Overlay ControllerVPN and select Spoke as the role.
   3. In the Overlays section, select Create New to create a network overlay.
   4. Enter a name and the subnets and/or internal interfaces, then select OK.

The local subnet must be routable and the interface must have an IP address assigned, otherwise an error message appears.

1. Select Apply to commit the configuration.

To enable hub-spoke OCVPN through the CLI:

1. Configure the OCVPN primary hub:

config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

2. Configure the OCVPN secondary hub:

config vpn ocvpn set status enable set role secondary-hub

end

3. Configure the OCVPN spoke1:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next

end

end

4. Configure the OCVPN spoke2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0

next

end

next

end

end