FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191207


This article describes how to configure VXLAN over IPsec tunnel.


FortiGate Configuration taken from Branch unit:

1.    Configure WAN1 interface
config system interface
    edit "wan1"
        set vdom "root"
        set ip
        set type physical

2.    Configure interface based VXLAN IPSec tunnel phase1 and phase2
config vpn ipsec phase1-interface
    edit "VXtoHQ"
        set interface "wan1"
        set proposal aes256-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4
        set encap-remote-gw4
        set remote-gw
        set psksecret somePassword
config vpn ipsec phase2-interface
    edit "VXLAN_ph2"
        set phase1name "VXtoHQ"
        set proposal aes256-sha1

3.    Configure switch interface to include internal port1 and VXLAN interface, devices behind port1 will have direct layer 2 access to remote HQ over the VXLAN tunnel.
config system switch-interface
    edit "VXLAN_interface_zone"
        set member "port1" "VXtoHQ"
        set intra-switch-policy explicit

4.    Create firewall policy to allow communication initiated from both sides:
config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "VXtoHQ"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    edit 2
        set srcintf "VXtoHQ"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"

5.    Configure the tunnel on the HQ firewall as well.  Modify the phase1 parameters to match local and remote gateway IPs.  Create the switch interface and firewall policy in the same way as on the branch unit.


Computer from the branch subnet ( should be able to access all resources in the same subnet ( located behind the HQ firewall.

Ping from Branch computer to HQ server:
[root@debian8-branch ~]# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=128 time=1.81 ms
64 bytes from icmp_seq=2 ttl=128 time=1.94 ms
64 bytes from icmp_seq=3 ttl=128 time=1.83 ms
--- statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.810/1.865/1.948/0.069 ms

Debug flow trace captured from the branch FortiGate:
FGT-branch #
id=20085 trace_id=53 func=print_pkt_detail line=4436 msg="vd-root received a packet(proto=1,> from port1. code=8, type=0, id=16644, seq=1."
id=20085 trace_id=53 func=init_ip_session_common line=4585 msg="allocate a new session-000269b4"
id=20085 trace_id=53 func=br_fw_forward_handler line=504 msg="Allowed by Policy-1:"
id=20085 trace_id=53 func=__if_queue_push_xmit line=368 msg="send out via dev-VXtoHQ, dst-mac-00:0c:29:ed:8b:57"
id=20085 trace_id=53 func=ipsecdev_hard_start_xmit_vxlan line=334 msg="enter IPsec interface-VXtoHQ"
id=20085 trace_id=53 func=esp_output4 line=1031 msg="IPsec encrypt/auth"
id=20085 trace_id=53 func=ipsec_output_finish line=517 msg="send to via intf-wan1"
id=20085 trace_id=54 func=print_pkt_detail line=4436 msg="vd-root received a packet(proto=1,> from VXtoHQ. code=0, type=0, id=16644, seq=1."
id=20085 trace_id=54 func=resolve_ip_tuple_fast line=4495 msg="Find an existing session, id-000269b4, reply direction"
id=20085 trace_id=54 func=__if_queue_push_xmit line=368 msg="send out via dev-port1, dst-mac-00:0c:29:54:5e:3b"

Related Articles

Technical Note: Building a Layer-2 VPN with VxLAN over IPsec