Skip to main content
Fabio
Fabio
Explorer III
February 21, 2024
Solved

LAN over WAN tunnel

  • February 21, 2024
  • 4 replies
  • 2854 views

Hello, everyone,
I would like some advice on how I could make a bridge of a LAN subnet over a WAN connection.
I would like to use a GRE tunnel that succeeds through an IPSEC connection between the two FGTs the ability to reach hosts from the other site that share the same subnet. However, I have not found many examples of this configuration.
Instead, I have seen a solution called Lan Extension that uses an IPSEC tunnel where VxLANs are carried. It is a solution that I see as very complicated to put on .
Do you have experiences for this kind of needs and scenarios ?
Thanks

 

Fabio

Best answer by Fabio

Hi guys,
I found an article that did just my purpose.

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/184150/vlan-inside-vxlan
Even without the Ipsec tunnel.
Was very useful and easy to implement because it is also applicable to our system composed of Vlan ( 802.1q) 

 

In this article, it talks about the fact that within the switch software, interfaces in 802.1q is not supported:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Building-a-Layer-2-VPN-with-VxLAN-over-IPsec/ta-p/194097?externalID=FD40170

 

Thank @hbac for inspiration.

4 replies

Hatibi
Staff & Editor
Hatibi
Staff & Editor
February 21, 2024

Hi Fabio,

 

take a look at following guide:

https://docs.fortinet.com/document/fortiextender/7.4.1/admin-guide-fgt-managed/339612/introduce-lan-extension-mode-for-fortiextender


Regards

 

    AEK
    SuperUser
    AEK
    SuperUser
    February 21, 2024

    Hello Fabio

    I'm not network expert but I know only VxLAN can do that.

    https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/38079/vxlan

    AEK
      hbac
      Staff
      hbac
      Staff
      February 21, 2024

      Hi @Fabio,

       

      I believe VXLAN is the only option. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Basic-VXLAN-over-IPsec-configuration/ta-p/191207

       

      However, it is possible to use NAT to avoid overlapping subnets: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-an-IPsec-tunnel-with-Overlapping/ta-p/242267

       

      The simplest way is not to use the same subnet for both sides. 

       

      Regards, 

        Fabio
        FabioAuthorAnswer
        Explorer III
        February 22, 2024

        Hi guys,
        I found an article that did just my purpose.

        https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/184150/vlan-inside-vxlan
        Even without the Ipsec tunnel.
        Was very useful and easy to implement because it is also applicable to our system composed of Vlan ( 802.1q) 

         

        In this article, it talks about the fact that within the switch software, interfaces in 802.1q is not supported:

        https://community.fortinet.com/t5/FortiGate/Technical-Tip-Building-a-Layer-2-VPN-with-VxLAN-over-IPsec/ta-p/194097?externalID=FD40170

         

        Thank @hbac for inspiration.

        Terms & ConditionsAccessibility statement