Note the following limitations:
- The FortiGate must be registered with a valid FortiCare Support license.
- Only full-mesh VPN configurations using PSK cryptography are supported.
- Public IPs must be used (FortiGates behind NAT cannot participate).
- Non-root VDOMs and FortiGate VMs are not supported.
- Up to 16 nodes can be added to the OCVPN cloud, each with a maximum of 16 subnets.
You can repeat Step 1 below to add up to 16 nodes to the OCVPN cloud (barring the above limitations), but you will configure only two nodes in the following example.
PREP 5 mins COOK 5 min TOTAL 10 mins
1. Enabling OCVPN
On FGT_1, go to VPN > One-Click VPN Settings.
Set Status to Enabled and confirm Cloud Status. This may take a minute or two.
As indicated, a green checkmark appears along with the message Connected to the cloud service.
Finally, add the required Subnets from FGT_1.
On FGT_2, repeat the steps above.
Enable and confirm connection to the cloud service, and then add the required subnets from FGT_2.
2. Confirming cloud membership
In the Cloud Members table on FGT_1, click Refresh and confirm the entries.
The remote gateway and corresponding subnets for each device should populate the list.
You can perform the step above on any FortiGate that is a member of the OCVPN cloud.
FGT_2 should return the same results as above.
3. Results
As the Cloud Members table populates, the OCVPN cloud updates each member automatically.
You can now verify that the remainder of the configuration has also been created, and proceed to test the tunnel.
On either FortiGate, go to VPN > IPsec Tunnels and confirm the entry of a new tunnel with the prefix _OCVPN.
Go to Network > Static Routes and confirm the new static routes.
Go to Policy & Objects > IPv4 Policy and confirm the new policies.
Go to Monitor > IPsec Monitor and verify that the tunnel status is Up.
Go to Log & Report > VPN Events and view the tunnel statistics.
Using Command Prompt/Terminal, attempt a ping from one internal network to the other. Ping should be successful:
ping 192.168.177.99
Pinging 192.168.177.99 with 32 bytes of data:
Reply from 192.168.177.99: bytes=32 time=5ms TTL=254
Reply from 192.168.177.99: bytes=32 time=1ms TTL=254
Reply from 192.168.177.99: bytes=32 time<1ms TTL=254
Reply from 192.168.177.99: bytes=32 time<1ms TTL=254
Ping statistics for 192.168.177.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 5ms, Average = 1ms
Now, disable OCVPN (VPN > One-Click VPN Settings) and repeat the ping attempt to confirm that OCVPN was indeed responsible for the successful ping above:
ping 192.168.177.99
Pinging 192.168.177.99 with 32 bytes of data:
Reply from 192.168.176.99: Destination net unreachable.
Reply from 192.168.176.99: Destination net unreachable.
Reply from 192.168.176.99: Destination net unreachable.
Reply from 192.168.176.99: Destination net unreachable.
Ping statistics for 192.168.177.99:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Re-enable OCVPN.
4. Troubleshooting
The following diagnose commands may prove useful.
To verify OCVPN status, use the following command:
FGT_1 # diag vpn ocvpn status
Current State : registered
OCVPN Status : OK (200)
To view device states, use the following command:
FGT_1 # diag vpn ocvpn device-state
FGT_1 wan1 172.25.176.56 0 6 0 2 200 2 0x3 0x3
To print a log report, use the following command:
FGT_1 # diag vpn ocvpn log
OCVPN Polling: state = undefined
cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0
OCVPN Polling: state = undefined
cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0
OCVPN Polling: state = undefined
cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0
========================
Thurs Mar 29 09:00:00 2018
========================
cvpn_load_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0
OCVPN Register: sn=x, num_subnets=0
Current State: undefined -> registering
cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 2 0 0 0 0 0x0 0x0
WAN intf wan1, IP 172.25.176.56/255.255.255.0
WAN intf changed from <null> to wan1
WAN IP changed from 0.0.0.0 to 172.25.176.56
Local Subnets:
192.168.176.0/255.255.255.0
JSON Update request = '{ "SN": "x", "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }'
Sending OCVPN request: method=Update, data='{ "SN": "x", "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }'
Received OCVPN response: method=Update, res=0, http_resp=200
JSON Response: '{"key":"","rev":1,"members":[{"IPv4":"172.25.176.56","port":"500","slot":0,"subnets":["192.168.176.0/255.255.255.0"],"Name":"FGT_1"}]}'
Member table size = 1
Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" }
Subnet 192.168.176.0/255.255.255.0
cvpn_config_install: prev mask 0x1, new mask 0x1
Update response code = 200
Current State: updating -> registered
cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 0 1 200 1 0x1 0x1
JSON Response: '{"key":"8TVdIwG2xS400jMOxyNN9WKOYWZEsaJDIV8JUGVK2FaHoEVqQPw2qDgt5RLHlZXAuInpCHwl9t8WpZ7jWD+6xg==",
"rev":1,"members":[{"IPv4":"172.25.176.56","port":"500","slot":0,"subnets":["192.168.176.0/255.255.255.0"],"Name":"FGT_1"}]}'
Member table size = 1
Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" }
Subnet 192.168.176.0/255.255.255.0
cvpn_config_install: prev mask 0x0, new mask 0x1
New members table, revision = 1
Register response code = 200
Current State: registering -> registered
cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 0 1 200 1 0x1 0x0
Current State: registered -> acknowledging
cvpn_save_state: FGT_1 wan1 172.25.176.56 0 5 6 1 200 1 0x1 0x0
JSON regack request = '{ "SN": "x", "rev": 1 }'
Sending OCVPN request: method=RegAck, data='{ "SN": "x", "rev": 1 }'
Received OCVPN response: method=RegAck, res=0, http_resp=200
JSON Response: '{"message":"Device successfully acknowledged"}'
Message='Device successfully acknowledged'
RegAck response code = 200
Current State: acknowledging -> registered
cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 6 1 200 1 0x1 0x0
OCVPN Update: sn=x, num_subnets=0
Current State: registered -> updating
cvpn_save_state: FGT_1 wan1 172.25.176.56 0 3 0 1 200 1 0x1 0x0
WAN intf wan1, IP 172.25.176.56/255.255.255.0
Local Subnets:
cvpn_build_json_reg_upd: internal error, line 1187
cvpn_build_json_reg_upd: res = -1
sys_ocvpn_update: res=-1
WAN intf wan1, IP 172.25.176.56/255.255.255.0
OCVPN Update: sn=x, num_subnets=1
Current State: updating
WAN intf wan1, IP 172.25.176.56/255.255.255.0
Local Subnets:
192.168.176.0/255.255.255.0
JSON Update request = '{ "SN": "x", "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }'
Sending OCVPN request: method=Update, data='{ "SN": "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }'
Received OCVPN response: method=Update, res=0, http_resp=200
JSON Response: '{"key":"","rev":1,"members":[{"IPv4":"172.25.176.56","port":"500","slot":0,"subnets":["192.168.176.0/255.255.255.0"],"Name":"FGT_1"}]}'
Member table size = 1
Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" }
Subnet 192.168.176.0/255.255.255.0
cvpn_config_install: prev mask 0x1, new mask 0x1
Update response code = 200
Current State: updating -> registered
cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 0 1 200 1 0x1 0x1
To view a list of OCVPN cloud members, use the following command:
FGT_1 # diag vpn ocvpn print-members
Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" }
Member: { "IPv4": "172.25.177.56", "port": "500", "slot": 1, "subnets": [ "192.168.177.0\/255.255.255.0" ], "Name": "FGT_2" }