Technical Tip: VXLAN configuration on FortiGate behind NAT device

Description

This article describes how to configure VXLAN on FortiGate behind NAT device.

Scope 

FortiGate.

Solution

FortiGate 2 is behind NAT in the diagram below; inbound VXLAN traffic over VPN tunnel will be dropped on FortiGate 2 behind NAT without the following configurations.

PC1(.1) – 192.168.100.0/24 - port2-[ FG1 ]-port1-(198.51.100.1) ====
                                                                    I
                                                   (Internet)       I VxLAN-over-IPsec tunnel
                                                                    I
PC2(.2) - 192.168.100.0/24 - port2-[ FG2 ]-port1-(10.0.0.1)-[ NAT ]=(203.0.113.2)

FortiGate 2:

config vpn ipsec phase1-interface
    edit "VxLan-IPsec"
        set interface "port1"
        set proposal aes128-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 203.0.113.2 (Address after NAT)
        set encap-remote-gw4 198.51.100.1
        set remote-gw 198.51.100.1
        set psksecret someSecureKey
    next
end

For SSL traffic not loading over IPsec over VXLAN, policy MTU should be adjusted as per the traffic:

config system interface
    edit <interface>
        set mtu-override enable
        set mtu 1340
    next
end

For a complete step-by-step configuration, see this article:

Technical Tip: How to setup a VXLAN over IPsec deployment