Hub-Spoke OCVPN with inter-overlay source NAT
This topic provides a sample configuration of Hub-Spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on Spokes and assign-ip enabled on Hub, you can have interoverlay communication.
Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays’ subnets when the overlay option assign-ip is enabled.
To enable ‘NAT’, disable ‘auto-discovery’ first.
License
- Free license: Hub-spoke network topology not supported.
- Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.
Prerequisites
- All FortiGate devices must be running FortiOS version 6.2.0 or later. l All FortiGate devices must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.
Restrictions
- Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
OCVPN device roles
- Primary-hub l Secondary-hub l Spoke (OCVPN default role)
Sample network topology
Sample configuration
You can only configure this feature by using the CLI.
To enable inter-overlay source NAT from CLI:
- Configure the Primary-Hub, enable overlay QA, and configure assign-ip and IP range:
config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” set assign-ip enable set ipv4-start-ip 172.16.101.100 set ipv4-end-ip 172.16.101.200 config subnets edit 1 set subnet 172.16.101.0 255.255.255.0
next
end
next edit 2 set name “PM” set assign-ip enable config subnets edit 1 set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
- Configure the Secondary-Hub:
config vpn ocvpn set status enable set role secondary-hub
end
- Configure Spoke1, and enable NAT on the spoke:
config vpn ocvpn set status enable set auto-discovery disable set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0
next
end
next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end
- Configure Spoke2, and enable NAT enabled on the spoke:
config vpn ocvpn set status enable set auto-discovery disable
set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0
next
end
next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0
next
end
next
end
end
A firewall policy with NAT is generated on the spoke:
edit 9 set name “_OCVPN2-1.1_nat” set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
set srcintf “any” set dstintf “_OCVPN2-1.1” set srcaddr “all” set dstaddr “_OCVPN2-1.1_remote_networks”
set action accept set schedule “always” set service “ALL” set comments “Generated by OCVPN Cloud Service.” set nat enable
next