FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssener
Staff
Staff
Article Id 193417

Description


This article delves into the intricacies of setting up a full mesh OCVPN in an environment operating with both FortiOS 6.2 and FortiOS 6.4, ensuring seamless connectivity and security across the network.

Scope

 

  •  Free license: Three units full mesh, 10 overlays, 16 subnets per overlay.
  •  Full License: Maximum of 16 units, 10 overlays, 16 subnets per overlay.
  •  The overlay names on each unit must be the same for local and remote selector pairs to be negotiated.
  • Once the OCVPN is configured, the associated IPsec VPN tunnel, Phase1 and Phase2 interfaces, IPv4 firewall policies and static routes are automatically created.


Overview:

 

As network environments evolve and grow, it's not uncommon for administrators to encounter scenarios where different devices operate on various firmware versions.

One such situation is when FortiGates within a topology runs on both FortiOS 6.2 and FortiOS 6.4.

This might arise during phased upgrade strategies, or when integrating new and legacy equipment.

A pivotal feature available on FortiOS is the Overlay Controller VPN (OCVPN), which provides a simplified way to establish a full mesh VPN between FortiGate devices. However, configuring OCVPN amidst this mixed-version landscape can present unique challenges. 


Solution


Topology.

The following topology shows three FortiGate units registered on FortiCare using the same FortiCare account.
Each FortiGate unit has one internal subnet, and no NAT exists between the units.



 
 
Configuration.

To enable OCVPN using the CLI.

Configure KL FortiGate.
 
config vpn ocvpn
    set status enable
    set multipath disable
    # config overlays
        edit "1"
            # config subnets
                edit 1
                    set subnet 10.81.0.0 255.255.252.0
                next
            end
        next
    end
end
 
Configure SYD FortiGate.
 
# config vpn ocvpn
    set status enable
    # config overlays
        edit 1
            set name "1"
            # config subnets
                edit 1
                    set subnet 10.91.0.0 255.255.240.0
                next
            end
        next
    end
end
 
Configure MEL FortiGate.
 
config vpn ocvpn
    set status enable
    # config overlays
        edit 1
            set name "1"
            # config subnets
                edit 1
                    set subnet 10.92.0.0 255.255.240.0
                next
            end
        next
    end
end

KL FortiGate – verification from GUI.
 
  
SYD FortiGate – verification from GUI.
 

 
MEL FortiGate – verification from GUI.
 
 
Verification on OCVPN portal.