Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
heljag
Staff
Staff

Created on ‎06-26-2023 09:37 PM

Article Id 261364

Technical Tip: VXLAN multiple remote-ip per VNI using loopback interface

Description

 

This article describes how to configure VXLAN over IPsec for multiple remote-ip per VNI using a loopback interface.

 

Scope

 

FortiGate.

 

Solution

 

Diagram:

 

KB_vxlan.drawio (1).png

 

Use below CLI commands:

 

'FGT-A'

 

config system interface
    edit "loop"
        set vdom "root"
        set ip 172.29.100.209 255.255.255.255
        set allowaccess ping
        set type loopback
    next

end

 

config system vxlan
    edit "vni240"
        set interface "loop"
        set vni 240
        set remote-ip "172.29.100.210" "172.29.100.208"
    next
end

 

config system switch-interface
    edit "sw_vxlan"
        set vdom "root"
        set member "port1" "vni240"
    next
end

 

config vpn ipsec phase1-interface
    edit "S2S"
        set interface "s1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.109.16.172
        set psksecret password
    next
    edit "S2S2"
        set interface "s1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set remote-gw 10.109.16.190
        set psksecret password
    next
end

 

config vpn ipsec phase2-interface
    edit "S2S"
        set phase1name "S2S"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set auto-negotiate enable
    next
    edit "S2S2"
        set phase1name "S2S2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set auto-negotiate enable
    next
end

 

config router static
    edit 2
        set dst 172.29.100.210 255.255.255.255
        set device "S2S"
    next
    edit 3
        set dst 172.29.100.208 255.255.255.255
        set device "S2S2"
    next
end

 

config firewall policy
    edit 1
        set name "Loopback to IPSec"
        set srcintf "loop"
        set dstintf "S2S" "S2S2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "IPSec to Loopback"
        set srcintf "S2S" "S2S2"
        set dstintf "loop"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

'FGT-B'

 

config system interface

    edit "loop"

        set vdom "root"

        set ip 172.29.100.210 255.255.255.255

        set allowaccess ping

        set type loopback

    next

end

 

config system vxlan

    edit "vni240"

        set interface "loop"

        set vni 240

        set remote-ip "172.29.100.209" "172.29.100.208"

    next

end

 

config system switch-interface

    edit "sw_vxlan"

        set vdom "root"

        set member "port1" "vni240"

    next

end

 

config vpn ipsec phase1-interface

    edit "S2S"

        set interface "s1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 10.109.16.171

        set psksecret password

    next

    edit "S2S2"

        set interface "s1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 10.109.16.190

        set psksecret password

    next

end

 

config vpn ipsec phase2-interface

    edit "S2S"

        set phase1name "S2S"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set auto-negotiate enable

    next

    edit "S2S2"

        set phase1name "S2S2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set auto-negotiate enable

    next

end

 

config router static

    edit 2

        set dst 172.29.100.209 255.255.255.255

        set device "S2S"

    next

    edit 3

        set dst 172.29.100.208 255.255.255.255

        set device "S2S2"

    next

end

 

config firewall policy

    edit 1

        set name "Loopback to IPSec"

        set srcintf "loop"

        set dstintf "S2S" "S2S2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        next

    edit 2

        set name "IPSec to Loopback"

        set srcintf "S2S" "S2S2"

        set dstintf "loop"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

 

'FGT-C'

 

config system interface

    edit "loop"

        set vdom "root"

        set ip 172.29.100.208 255.255.255.255

        set allowaccess ping

        set type loopback

    next

end

 

config system vxlan

    edit "vni240"

        set interface "loop"

        set vni 240

        set remote-ip "172.29.100.209" "172.29.100.210"

    next

end

 

config system switch-interface

    edit "sw_vxlan"

        set vdom "root"

        set member "port1" "vni240"

    next

end

 

config vpn ipsec phase1-interface

    edit "S2S"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 10.109.16.171

        set psksecret password

    next

    edit "S2S2"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set remote-gw 10.109.16.172

        set psksecret password

    next

end

 

config vpn ipsec phase2-interface

    edit "S2S"

        set phase1name "S2S"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set auto-negotiate enable

    next

    edit "S2S2"

        set phase1name "S2S2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set auto-negotiate enable

    next

end

 

config router static

    edit 2

        set dst 172.29.100.209 255.255.255.255

        set device "S2S"

    next

    edit 3

        set dst 172.29.100.210 255.255.255.255

        set device "S2S2"

    next

end

 

config firewall policy

    edit 1

        set name "Loopback to IPSec"

        set srcintf "loop"

        set dstintf "S2S" "S2S2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        next

    edit 2

        set name "IPSec to Loopback"

        set srcintf "S2S" "S2S2"

        set dstintf "loop"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

2784
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.