Skip to main content
macarleo
macarleo
New Member
November 13, 2018
Solved

Native Vxlan over IPSEC and loopback interface. advanced configuration

  • November 13, 2018
  • 4 replies
  • 24277 views

I allow myself to write this post because I have a lot of difficulty in configuring vxlan over ipsec, the operation is not guaranteed (at least from my experience)

 

from the FortiOS version 5.6.2 vxlan can be used natively

considered that the

[ul]
  • vxlan over ipsec does not support 802.1q (while internet traffic is encrypted)
  • native vxlan supports 802.1q (instead internet traffic is not encrypted)[/ul]

     

    I decided to make a configuration using IPSEC with loopback interface and use the native vxlan with the loopback interfaces.

    With this configuration, traffic with the native vxlan is encrypted with the IPSEC

     

    attached the configuration adopted between fortigate 80E and Fortigate 90E

     

    ######################### FTG80E ###############

     

    ##creation of subnet address

     

    config firewall address

        edit "LoopBackLocal172.30.31.0"

            set subnet 172.30.31.0 255.255.255.0

        next

        edit "LoopBackRemote172.30.30.0"

            set subnet 172.30.30.0 255.255.255.0

        next

    end

    ########## loopback interface creation ##########

    config system interface

    edit "Loopback"

            set vdom "root"

            set ip 172.30.31.1 255.255.255.0

            set allowaccess ping https ssh http

            set type loopback

        next

    end

    ########## phase 1 configuration #########

    config vpn ipsec phase1-interface

    edit "VXlanSuIpsec"

    set interface "wan1"

    set keylife 28800

    set peertype any

    set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1

    set dhgrp 14 2

    set remote-gw #remote ip public

    set psksecret 123456789

    next

    end

    ########## phase 2 configuration ##########

    config vpn ipsec phase2-interface

    edit "VXlanIpsecPh2"

    set phase1name "VXlanSuIpsec"

    set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm

    set dhgrp 14 2

    set keepalive enable

    set src-addr-type name

    set dst-addr-type name

    set keylifeseconds 3600

    set src-name "LoopBackLocal172.30.31.0"

    set dst-name "LoopBackRemote172.30.30.0"

    next

    end

     

    ######### native vxlan configuration using vpn ipsec with loopback interface ########

    config system vxlan

        edit "vxlan"

            set interface "Loopback"

            set vni 1

            set remote-ip "172.30.30.1"

        next

    end

    config system interface

        edit "vxlan"

            set vdom "root"

            set type vxlan

            set interface "Loopback"

        next

    end

    ######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########

    ######## port 7 firewall must be configured in trunk on switch port ##########

     

    config system switch-interface

    edit "Switch-Vxlan"

    set vdom "root"

    set member "port7" "vxlan"

    next

    end

     

    ######## Policy configuration ######

     

    config firewall policy

        edit 1

            set name "Loopback TO ipsecVPN"

            set srcintf "Loopback"

            set dstintf "VXlanSuIpsec"

            set srcaddr "LoopBackLocal172.30.31.0"

            set dstaddr "LoopBackRemote172.30.30.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

        edit 2

            set name "ipsecVPN TO Loopback"

            set srcintf "VXlanSuIpsec"

            set dstintf "Loopback"

            set srcaddr "LoopBackRemote172.30.30.0"

            set dstaddr "LoopBackLocal172.30.31.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

    end

     

    ############# static route configuration ##########

    ########## remember to add the default gateway associated with wan1 ############

    config router static

        edit 2

            set dst 172.30.30.0 255.255.255.0

            set distance 1

            set device "VXlanSuIpsec"

        next

    end

     

     

    ########################### FTG90E ###############

     

    ##creation of subnet address

     

    config firewall address

        edit "LoopBackLocal172.30.30.0"

            set subnet 172.30.30.0 255.255.255.0

        next

        edit "LoopBackRemote172.30.31.0"

            set subnet 172.30.31.0 255.255.255.0

        next

    end

     

    ########## loopback interface creation ##########

    config system interface

        edit "Loopback"

            set vdom "root"

            set ip 172.30.30.1 255.255.255.0

            set allowaccess ping https ssh http

            set type loopback

    next

    end

     

    ########## phase 1 configuration #########

    config vpn ipsec phase1-interface

    edit "VXlanSuIpsec"

    set interface "wan1"

    set keylife 28800

    set peertype any

    set proposal aes128-sha1 aes256-sha256 aes128-sha256 aes256-sha1

    set dhgrp 14 2

    set remote-gw #remote ip public

    set psksecret 123456789

    next

    end

    ########## phase 2 configuration ##########

    config vpn ipsec phase2-interface

    edit "VXlanIpsecPh2"

    set phase1name "VXlanSuIpsec"

    set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm

    set dhgrp 14 2

    set keepalive enable

    set src-addr-type name

    set dst-addr-type name

    set keylifeseconds 3600

    set src-name "LoopBackLocal172.30.30.0"

    set dst-name "LoopBackRemote172.30.31.0"

    next

    end

    ######### native vxlan configuration using vpn ipsec with loopback interface ########

    config system vxlan

        edit "vxlan"

            set interface "Loopback"

            set vni 1

            set remote-ip "172.30.31.1"

        next

    end

    config system interface

        edit "vxlan"

            set vdom "root"

            set type vxlan

            set interface "Loopback"

        next

    end

     

    ######## Virtual Switch Configuration for bridge between native vxlan and port 7. #########

    ######## port 7 firewall must be configured in trunk on switch port ##########

     

    config system switch-interface

    edit "Switch-Vxlan"

    set vdom "root"

    set member "internal7" "vxlan"

    next

    end

     

    ######## Policy configuration ######

    config firewall policy

        edit 1

            set name "Loopback TO ipsecVPN"

            set srcintf "Loopback"

            set dstintf "VXlanSuIpsec"

            set srcaddr "LoopBackLocal172.30.30.0"

            set dstaddr "LoopBackRemote172.30.31.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

        edit 2

            set name "ipsecVPN TO Loopback"

            set srcintf "VXlanSuIpsec"

            set dstintf "Loopback"

            set srcaddr "LoopBackRemote172.30.31.0"

            set dstaddr "LoopBackLocal172.30.30.0"

            set action accept

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

    end

    ########## loopback interface creation ##########

    ########## remember to add the default gateway associated with wan1 ############

    config router static

        edit 2

            set dst 172.30.31.0 255.255.255.0

            set distance 1

            set device "VXlanSuIpsec"

        next

    end

     

     

     

      • Best answer by macarleo

      "so are you able to get HTTPS working with  native vxlan with 802.1q ?"

       

      yes

      4 replies

      Tom_Wuyts1
      Tom_Wuyts1
      New Member
      November 14, 2018

      Hi,

       

      I am struggling a while with the same thing. Fortigate E30 - firmware 5.6.4

      I was able to configure the vxlan with the following procedure: 

      https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/

      I also use 802.1q, LAN port isa trunk on the switch

       

      I am able to ping trough the vxlan ipsec tunnel to the devices at the other site so my vxlan configuration works.

      But when i try fileservices, webapplications it's not possible.

      It has something to do with MTU size but I can 't figure it out. When i lower my MTU size on my laptop everything goes fine. So I would like to set the MTU size of my vxlan-switch higher but thats not allowed.

      I get the message 'MTU size is not valid, should be in range of 68 - 1500'

       

      Did you also suffer from this? Any solutions?

       

      Thx,

      Tom

       

       

      macarleo
      macarleoAuthor
      New Member
      November 14, 2018

      I've had similar problems try using a laptop with linux and see if you have the same web access problems. with linux laptop I had behaviors different from laptop windows, I did not understand the reason. if you use the trunk on the primary and secondary site switches, on the secondary site try to access the interface with the same pvid of the source trunk however vxlan on ipsec does not support 802.1q. So you can not pass more vlan even if it seems that at the IP or icmp level there is availability or reachability.

       

      Try to use my configuration and let me know if it works I have tested it thoroughly without problems.

       

       

      gangadar1234
      gangadar1234
      New Member
      November 16, 2018

      Hi Macarleo,

       

      802.1q support with VXLAN over IPSec. I tested in my lab and i can see the Firewall passing the tags across the Ipsec tunnel.

       

      However NATIVE VXLAN isnt working for me ,  Also I see you have configured the vxlan remote ip as local loopback IP,

      i believe it should be the remote loopback ip

      macarleo
      macarleoAuthor
      New Member
      November 16, 2018

      Hello from my tests in the laboratory it seems to me that apparently the vlan pass correctly on IPSEC, in fact at ICMP level I did not detect problems but when I used the HTTPS protocols I detected problems. however, the conversation with the fortinet support is attached. vxlan on ipsec does not support 802.1q.

       

       

       I did not understand what you mean by: "Also I see you have configured the vxlan remote ip as local loopback IP, i believe it should be the remote loopback ip"

       

      Best Regards

      Mariano

      gangadar1234
      gangadar1234
      New Member
      November 16, 2018

      so are you able to get HTTPS working with  native vxlan with 802.1q ?

      PincoP
      PincoP
      New Member
      November 20, 2018

      Excellent guide

      thank you

      boneyard
      boneyard
      Valued Contributor
      February 25, 2019

      thank you for this guide @macarleo

       

      im running into the 802.1q issue with this native VXLAN setup im afraid. does anyone have a working setup in which you don't have to lower the MTU on the end user devices and use 802.1q with tagged VLANs over native VXLAN?

       

      macarleo you are saying you do, but your guide doesn't include 802.1q config anywhere, how / where did you configure that?

       

      im kinda wondering if it might require 6.0 as there the documentation has this section (and 5.6 doesn't)

       

      http://help.fortinet.com/...Ns%20over%20VXLANs.htm

      boneyard
      boneyard
      Valued Contributor
      March 16, 2019

      i can know confirm that Native VXLAN like @macarleo posted it functions fine with VLAN tagged traffic.

       

      when you configure VLANs on the software switch you can have the FortiGate(s) participate in the VLAN on layer 3 also.

       

      so far my main issue is doing VXLAN traffic through a interVDOMlink, that seems to break it partially.

      krystianm
      krystianm
      New Member
      August 14, 2019

      Your config is slightly different to mine. Have you tested ie HTTPS over vxlan? It doesn't work for me. I've checked few scenerios, like voip phones, cisco APs, PCs that receive IP from DHCP and etc. but never get HTTPS working as well as IP printing across the vxlan.

      boneyard
      boneyard
      Valued Contributor
      August 15, 2019

      that sounds like a MTU issue. in principle the FortiGate should handle this for you, so if it doesn't the question is how your setup is exactly and which FortiOS version you are using.

       

      currently i have this working fine on FortiOS 6.2 with VLAN tagged traffic. In FortiOS 6.0 i expect it to work with untagged traffic.

      emnoc
      emnoc
      New Member
      August 15, 2019

      Adjust the tcp.mss in the firewall policy and your mtu issues will go away.

       

      http://socpuppet.blogspot.com/2013/05/tcp-mss-adjusment-fortigate-style.html

       

      Ken Felix

       

      Terms & ConditionsAccessibility statement