VXLAN over IPSec tunnel issues

Question

Hello all, I have an MPLS circuit and I want to run an encrypted end to end connection over it using two Fortigate 60E boxes. I am trying to follow a cookbook recipe from the KB on using a virtual-wire and an IPSec tunnel. Its been challenging because the examples do *not work* out of the box.

This is the most useful cookbook / KB I have found: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/821119/vxlan-over-ipsec-tunnel

Namely the issues that I have had is that the ports being used for this configuration must first be removed from the "internal" switch group. I have to wonder if that is causing me problems because there is some sort of other policy applied to those ports? Also, all of the notes refer to these are "port1" and "port2", etc. but my ports are named "internal1" and "internal2". Again, maybe just a code revision as the KB I am reading was for 6.2.0 and I am running 6.4.1

Also, when I get to the step of configuring the virtual switch I get an error about the member not being in the dataset. I found another forum post where someone suggested you delete all references to that member. The only references I had were the firewall rules from an earlier step. So I deleted all the firewall rules. Then created the virtual switch. Then re-created those same rules, and that seemed to work? But ... it doesn't function at all.

My end result is that the VPN tunnel is not establishing over port1 (internal1 in my case) and I cannot ping the other firewall's interface.

Can someone take a look and see what I might be doing wrong? :) I am attaching one of the sanitized configs (cant seem to attach more than file here?).

Note that I am attempting to send ALL of my L2 traffic from one end to the other. The example was created for a single subnet. So that may also be my issue is that I changed the firewall rules to any/any?

echo · Answer

Have you got this working? I also want to start using it in my environment.

Port names depend on Fortigate model, some have portx, some have internalx with x=1,2,...

From your configuration, I see that you have software-switch called "VXLAN-HQ2" with members internal2 and to_HQ2 (IPSEC-tunnel interface) as in the manual but where's the internal IP-address defined? In the example the network is 10.1.100.0/24, in your configuration the dmz has 10.10.10.1/24. Unclear from the example is this: where is the default gateway of 10.1.100.0/24 defined. Maybe one has to choose the side, HQ1 or HQ2 and use it for either dmz or port9 (possibly on bigger HQ side). Another theoretical option would be to use this address on software switch interface but I don't know if this is the case for VXLAN's.

In Fortinet's example, I see that maybe using IPSEC-interface to_HQ2 in firewall rules is not correct or not sufficient: maybe the software switch's interface VXLAN-HQ2 has to be used instead or in addition to the one shown in the example. Check the logs! If this is the case then that may be the reason why the tunnel does not come up. Using any/any firewall rules as you have done (for a test at least) let's you more easily to narrow down the problem.

I understand that when one wants to use one single network/VLAN going over the IPSEC tunnel then it is OK for using encapsulation VXLAN on the IPSEC settings but when one wants to select which VLANs spread over the tunnel this way then another configuration has to be done, maybe something like this: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/392860/vlan-inside-vxlan

But maybe this is not what you want to achieve. For me, this what I want to achieve and I'd like to find a way how it works.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded