Skip to main content
Robin_Svanberg
Robin_Svanberg
New Member
June 11, 2014
Question

Layer 2 VPN Site to Site?

  • June 11, 2014
  • 5 replies
  • 33521 views
Need to be able to bridge layer 2 traffic, L2TP or similiar, between a datacenter and a mobile office. Is it possible to achieve it with Fortigates? Seems like one solution is to have two Fortigates configured in transparent mode and configuring static mac entries for all hosts connected behind the mobile office, however we would really want to find a solution which dont require static entries. Anyone configured something like this?

    5 replies

    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 11, 2014
    Hi Robin, You can do L2 vpn (same subnet on both sides), BUT you still need to enter the IP addresses in firewall, in this case you need to use the proxy-arp function. And you are limited to 200 or 250 proxy arp addresses (dont remember the limit). With that said, you can do it but it is very limited. I have requested this for Fortios 5.2 but they havent implemented it.
    emnoc
    emnoc
    New Member
    June 12, 2014
    A ipsec vpn is a layer3 function & not layer2 function. I never heard of any ipsec device doing what your asking or what selective is requesting from fortinet. If you need a transparent layer 2 bridge, than l2tpv3 is what you should be looking for or some other " pseudowire" technology. Neither one of these support any security per-se, but you could easily encrypt the channel across the l2tpv3 xconnect. We' ve used pseudowires in the past and carried a /30 subnet across that was part of a intra-WAN link between security gateways. Than we issued ipsec between these 2 gateways. imho: If you really think you need to bridge a layer2 subnet across a internet domain, than you should rethink your design and network objectives
    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 12, 2014
    Yes you are right emnoc, IPSEC is L3 VPN, but its still possible to share the same subnet with what I wrote above. I have done it, and it works. There are some special scenarios when this can come in handy. (I´m not saying its an ideal solution).
    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 17, 2014
    I know this is out of the scope but I have done a L2 " tunnel" between two remote sites if something is intressted. In short steps: Equipment: 1 FortiGate 60D 1 FortiAP 11C Create a wireless network in tunnel mode. Connect for example your DMZ port to your internal LAN. (No IP), Create a Software Switch which contains the DMZ and wireless network. (I also changed the type from Switch to HUB in the CLI). No IP on the software switch. In the FAP profile of the 11C, you can bridge the LAN interface to the SSID. Make sure the FAP can connect to your FG from the Internet. (enable CAPWAP on the interface facing the internet, and also configure the FAP itself to phone home) Now you have a L2 tunnel, put a computer in the LAN port of the FAP 11C and you will get DHCP from your Internal LAN. For more security you can enable DTLS and also make the DTLS traffic integrated into the kernel.
    laupin
    laupin
    New Member
    January 16, 2018

    Hello,

     

    I did this configuration in my lab for one subnet and it works fine. I haven't tested for more than one VLAN but, Fortinet documents said that it's possible if your Fortigates are at 5.6.2 version or latest.

     

    Here you the procedure I follow.

    http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD40170&languageId= http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614

     

    Let me know if it works for you.

     

    Best Regards

     

     

    Terms & ConditionsAccessibility statement