Skip to main content
amaroth
amaroth
New Member
October 24, 2018
Question

Small problem with VxLAN over IPsec

  • October 24, 2018
  • 1 reply
  • 5840 views

Hi,

 

Here is my setup

 

 

 

HQ has FG-501E with FortiOS 5.6.5

Branch has FG-61E with FortiOS 5.6.6

 

So I have two sites, HQ and Branch, I wanted to extend one of the HQ VLANs (vlan 892) to Branch, actually it works more or less, but there is a problem in branch office. In branch office I have a cluster of two FG-61E (active-stadby HA) and the vxlan bridge is attached to port internal6. So from both FG-61E port internal6 goes to Cisco C3560X-48T-S switch (SW1 on the picture) and both cables go to access ports.

 

Here is config of one of them:

interface GigabitEthernet0/42   switchport access vlan 892   switchport mode access   spanning-tree portfast

 

And on other ports which has that port settings I can plug computer and I can ping the 172.16.92.1 and I even get IP assigned via DHCP, which means Layer 2 works.

 

However if I want to also "share" vlan 892 to next switch in the branch (SW2) , it is also Cisco C3560X-48T-S and I have a trunk between SW1 and SW2 where vlan 892 is included and configuring access port with vlan 892 there, when I plug to such a port computer, then I can't reach 172.16.92.1 from there.

 

In general I have noticed that if I have ANY trunk between both of FortiGate's then VxLAN doesn't work anymore ! Because obviously in HQ the FortiGate is not connected to ISP directly but it goes via switch (and I needed to have a access ports there as well ! connected to FG-501E). 

 

Why trunk on the path is breaking usability of the tunnel and VxLAN ??

 

Any ideas ?

1 reply

HASimac
HASimac
New Member
October 24, 2018

Hi,

 

Once in trunk mode, do you active vlanforward ??

set vlanforward enable

 

Here's my config

edit "wan2" set vlanforward enable set broadcast-foward enable set l2forward enable set stpforward enable set netbios-forward enable next edit "VxLan-IPsec" set vlanforward enable set broadcast-foward enable set l2forward enable set stpforward enable set netbios-forward enable next

 

Another tips with VXLAN and Dot1q...

It seems that large packet coming from the trunk interface to the Fortigate with DF bit set cannot be "handled" by the FGT.

What I mean by "handled" is that the Fortigate cannot be reset this flag.

So session like ssh works (small packets) but https session not (large packet)...

 

Regards,

 

HA 

amaroth
amarothAuthor
New Member
October 24, 2018

Thanks I will try to do that.

 

Question aside, can the vxlan-interface bridge has IP assigned ?

 

Because currently for computers on that VLAN the HQ (172.16.92.1) is default gateway, and I would rather want them go through my wan1. So I was thinking to give the vxlan-int soft switch IP and make it a gateway for computers in Branch (for Internet).

Terms & ConditionsAccessibility statement