Layer 2 VPN between x FGT60D 6.0.5

Question

I am trying create a Layer2 VPN between 2 sites. Both sites have FGT60D version 6.0.5. Both sites have dynamic publicIP, but site2 is behind a NAT-device.

I used this wizard: https://kb.fortinet.com/kb/viewContent.do?externalId=FD40170&sliceId=1

Tunnel is up and running, but it seems like the package is not bridged; I am not able to ping ip 10.228.191.251 from site 1.

"diag deb sniffer packet any 'host 10.228.191.251' 4" on site 1 shows "arp who-has 10.228.191.251 tell...." on VxLan-interface but the request is not shown on site 2.

Any advise about where to start digging is welcome...

Site1:
Site 1

config system switch-interface
    edit "switch2891"
        set vdom "vd_site1"
        set member "int2.2891" "VxLan-IPsec"
        set intra-switch-policy explicit
    next
end
config system interface
    edit "VxLan-IPsec"
        set vdom "vd_site1"
        set vlanforward enable
        set type tunnel
        set snmp-index 18
        set interface "int2.3997"
    next
    edit "int2.2891"
        set vdom "vd_site1"
        set vlanforward enable
        set alias "2891 VxLAN"
        set device-identification enable
        set role lan
        set snmp-index 20
        set interface "internal2"
        set vlanid 2891
    next
    edit "switch2891"
        set vdom "vd_site1"
        set ip 10.228.191.2 255.255.255.0
        set allowaccess ping https ssh
        set type switch
        set snmp-index 21
    next
end
config vpn ipsec phase1-interface
    edit "VxLan-IPsec"
        set type ddns
        set interface "int2.3997"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remotegw-ddns "site2.mydomain.net"
        set psksecret ENC VerySecret
    next
end
config vpn ipsec phase2-interface
    edit "VxLan-IPsec"
        set phase1name "VxLan-IPsec"
        set proposal aes128-sha1
    next
end

Site 2:
config system switch-interface
    edit "switch2891"
        set vdom "vd_site2"
        set member "int1.2891" "VxLan-2891"
        set intra-switch-policy explicit
    next
end
config system interface
    edit "int1.2891"
        set vdom "vd_site2"
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 33
        set interface "internal1"
        set vlanid 2891
    next
    edit "switch2891"
        set vdom "vd_site2"
        set ip 10.228.191.251 255.255.255.0
        set allowaccess ping
        set type switch
        set snmp-index 34
    next
    edit "VxLan-2891"
        set vdom "vd_site2"
        set vlanforward enable
        set type tunnel
        set snmp-index 31
        set interface "wan2"
    next
end

config vpn ipsec phase1-interface
    edit "VxLan-2891"
        set type ddns
        set interface "wan2"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remotegw-ddns "site1.mydomain.net"
        set psksecret ENC VerySecret
    next
end
config vpn ipsec phase2-interface
    edit "ph2_VxLan-2891"
        set phase1name "VxLan-2891"
        set proposal aes128-sha1
    next
end

Jirka1 · Answer

Hi,

I think the problem is that you have set the VLAN ID on the "int2.2891" interface (I suppose it's a vlan interface). For proper operation, only physical interface, not vlan, should be a member of the switch.

At least it works for me.

Jirka

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded