Technical Tip: Basic VXLAN over IPsec configuration

snowman_FTNT · ‎04-25-2016

Description

This article describes how to configure VXLAN over IPsec tunnel.

Solution

FortiGate Configuration taken from Branch unit:

1. Configure WAN1 interface

config system interface
    edit "wan1"
        set vdom "root"
        set ip 10.108.16.112 255.255.255.0
        set type physical
    next
end

2. Configure interface based VXLAN IPSec tunnel phase1 and phase2

config vpn ipsec phase1-interface
    edit "VXtoHQ"
        set interface "wan1"
        set proposal aes256-sha1
        set encapsulation vxlan
        set encapsulation-address ipv4
        set encap-local-gw4 10.108.16.112
        set encap-remote-gw4 10.108.16.110
        set remote-gw 10.108.16.110
        set psksecret somePassword
    next
end
config vpn ipsec phase2-interface
    edit "VXLAN_ph2"
        set phase1name "VXtoHQ"
        set proposal aes256-sha1
    next

3. Configure switch interface to include internal port1 and VXLAN interface, devices behind port1 will have direct layer 2 access to remote HQ over the VXLAN tunnel.

config system switch-interface
    edit "VXLAN_interface_zone"
        set member "port1" "VXtoHQ"
        set intra-switch-policy explicit
    next
end

4. Create firewall policy to allow communication initiated from both sides:

config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "VXtoHQ"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "VXtoHQ"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

5. Configure the tunnel on the HQ firewall as well. Modify the phase1 parameters to match local and remote gateway IPs. Create the switch interface and firewall policy in the same way as on the branch unit.

Verification

Computer from the branch subnet (192.168.100.130) should be able to access all resources in the same subnet (192.168.100.10) located behind the HQ firewall.

Ping from Branch computer to HQ server:

[root@debian8-branch ~]# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
64 bytes from 192.168.100.10: icmp_seq=1 ttl=128 time=1.81 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=128 time=1.94 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=128 time=1.83 ms
^C
--- 192.168.100.10ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.810/1.865/1.948/0.069 ms

Debug flow trace captured from the branch FortiGate:

FGT-branch #
id=20085 trace_id=53 func=print_pkt_detail line=4436 msg="vd-root received a packet(proto=1, 192.168.100.130:16644->192.168.100.10:8) from port1. code=8, type=0, id=16644, seq=1."
id=20085 trace_id=53 func=init_ip_session_common line=4585 msg="allocate a new session-000269b4"
id=20085 trace_id=53 func=br_fw_forward_handler line=504 msg="Allowed by Policy-1:"
id=20085 trace_id=53 func=__if_queue_push_xmit line=368 msg="send out via dev-VXtoHQ, dst-mac-00:0c:29:ed:8b:57"
id=20085 trace_id=53 func=ipsecdev_hard_start_xmit_vxlan line=334 msg="enter IPsec interface-VXtoHQ"
id=20085 trace_id=53 func=esp_output4 line=1031 msg="IPsec encrypt/auth"
id=20085 trace_id=53 func=ipsec_output_finish line=517 msg="send to 10.108.16.110 via intf-wan1"
id=20085 trace_id=54 func=print_pkt_detail line=4436 msg="vd-root received a packet(proto=1, 192.168.100.10:16644->192.168.100.130:0) from VXtoHQ. code=0, type=0, id=16644, seq=1."
id=20085 trace_id=54 func=resolve_ip_tuple_fast line=4495 msg="Find an existing session, id-000269b4, reply direction"
id=20085 trace_id=54 func=__if_queue_push_xmit line=368 msg="send out via dev-port1, dst-mac-00:0c:29:54:5e:3b"

Related Articles

Technical Note: Building a Layer-2 VPN with VxLAN over IPsec