New Member

Question

VxLAN over IPSEC drives me crazy!

Forum|Forum|3 years ago
March 22, 2023
5 replies
8523 views

Hi,

there is this scenario:

HQ with FGT100E and the firewall itself should be the BO remote network default gateway (192.168.113.254/24). It has a lot of networks configured, other networks can reach the 192.168.113.0/24 through firewall routing.

BO with FGT30E, LAN network is 192.168.113.0/24.

I'd like to setup a VxLAN over IPSec between two sites, I do it but I can't manage the default gateway in the 100E without using a physical port. And I don't want to use ports because I have several BO to connect in this way.

I need a L2 link between the BO net and the default gateway in the HQ firewall.

How can I manage this?

Best regards

FortiGate

funkylicious

SuperUser

I have set something similar, where the device on the remote site was required to exit it's local subnet, and could only achieve it by connecting another physical port and doing the software switch w/ it and reaching the GW that was on another port then being routed out.

"jack of all trades, master of none"

smartiniAuthor

New Member

thanks funkylicious,

the configuration of the BO firewall is quite clear, there is a software switch with the LAN port and the IPSEC interface with the VxLAN encapsulation.

I'm not sure about the HQ firewall configuration..

funkylicious

SuperUser

it should be similar on the FGT, w/ soft-sw between the phase-1 intf and a port, connected to a switch in mode access, this way you can reach the GW which is in that vlan on another port/sub intf.

"jack of all trades, master of none"

funkylicious

SuperUser

Also the IPsec interface is needed to be added.

"jack of all trades, master of none"

smartiniAuthor

New Member

this is only the IPSec interface!

funkylicious

SuperUser

Ok, let's start with the basics.

Here's the template that I used to create the VxLAN over IPsec.

Things in CAPITAL, <> and others/intfs , would need to be adapted to our needs, the same is at both ends with proper changes, like fw rules.

Play around w/ it and see if you can make it work based on your needs and the diagram above.

config vpn ipsec phase1-interface     edit "p1"         set interface WAN_INTF         set peertype any         set proposal aes128-sha1 aes128-sha256         set encapsulation vxlan         set encapsulation-address ipv4         set encap-local-gw4 LOCAL_WAN         set encap-remote-gw4 REM_WAN         set remote-gw REM_WAN         set psksecret PSK         next end config vpn ipsec phase2-interface     edit "p2"         set phase1name "p1"         set proposal aes128-sha1 aes128-sha256     next end config system switch-interface     edit "VXLAN-SW" 	set vdom root         set member PORT p1     next end

"jack of all trades, master of none"

smartiniAuthor

New Member

I'm noticing a very strange thing, no one policy is matched when I'm trying to ping remote network from internal LAN..but the policy exists

WhatsApp Image 2023-03-24 at 15.51.58.jpeg

Schermata 2023-03-24 alle 14.23.02.png

Schermata 2023-03-22 alle 17.15.44.png

funkylicious

SuperUser

i am pretty sure that you have a physical interface in that software switch instead of the ipsec tunnel interface, cuz of the icon which is the reason that is not working.

"jack of all trades, master of none"