FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 195488

Description


This article describes how to configure VXLAN over IPsec for multiple VLANs.

 

Scope

 

FortiGate.


Solution

 

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789.
 
 
 
  1. WAN interface configuration.
    This configuration is focused on how to configure two or more VLANs which can be used with VXLAN to extend the Layer2 connectivity across two different locations. 
 
Stephen_G_0-1700433806772.png
 
  1. Make sure that connectivity between both FortiGates is working to bring the IPsec tunnel up.
  2. Configuring IPsec VPN tunnel:
Note:
The 'set encapsulation vxlan' config in the ipsec tunnel has already been deprecated. 
 

FGT1

FGT2

Phase1 config:

 

config vpn ipsec phase1-interface

    edit "ipsec"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set remote-gw 1.1.1.2

        set psksecret xx

    next

end

 

Phase2 config:

 

config vpn ipsec phase2-interface

    edit "ipsec"

        set phase1name "ipsec"

        set proposal aes256-sha1

        set auto-negotiate enable

    next

end

 

Tunnel interface config:

 

config system interface

    edit "ipsec"

        set vdom "root"

        set ip 2.2.2.2 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 2.2.2.1 255.255.255.252

        set snmp-index 20

        set interface "wan1"

    next

Phase1 config:

 

config vpn ipsec phase1-interface

    edit "ipsec"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set remote-gw 1.1.1.1

        set psksecret xx

    next

end

 

Phase2 config:

 

config vpn ipsec phase2-interface

    edit "ipsec"

        set phase1name "ipsec"

        set proposal aes256-sha1

        set auto-negotiate enable

    next

end

 

Tunnel interface config:

 

config system interface

    edit "ipsec"

        set vdom "root"

        set ip 2.2.2.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 2.2.2.2 255.255.255.252

        set snmp-index 20

        set interface "wan1"

    next

 
  1. This configuration will bring the IPsec tunnel up. Verify it as well.

    It may be required to create a policy from the interface 'ipsec' to 'ipsec' so the tunnel can go up (tested in FortiOS v7.0.11).
config firewall policy
    edit 0
        set name "IPSECTUNNELPolicy"
        set srcintf "ipsec"
        set dstintf "ipsec"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
 
  1. Configure VLAN interfaces.
  
Stephen_G_1-1700433940115.png
 
  1. Configure VXLAN interfaces for both VLANs.
 
Stephen_G_2-1700433990027.png
 
  1. Configure the software switch interface: 
 
Stephen_G_3-1700434010530.png
 
  1. Test the connectivity by pinging the client connected to VLAN50 on 'SW1' towards the client connected to vlan50 on 'SW2'. Also, test the connectivity from the client connected on VLAN50 on 'SW2' towards the client connected on VLAN50 on 'SW1'.

  2. Repeat the same test for the client in VLAN60.

  3. In this setup, no firewall policies would be required. The reason for this is the option 'set intra-switch-policy implicit' configured under 'config system switch-interface' for both VLANs. With intra-switch-policy implicit, it is needed to expect some limitations. More information can be found here Software switch and intra-switch-policy.

  4. If there is a requirement to use firewall policies, this option needs to be changed. 
  5. Do not configure VLAN1 in the FortiGate as it is not recommended, and FortiGate uses VLAN1 for internal communication between FortiGate and FortiSwitch.
 
Note:
If both FortiGates are in an HA pair, change the HA group-id for any one cluster. When FortiGates are in a cluster, they will use virtual MAC addresses. Switch interfaces on both sides can have the same virtual MAC address, which will result in connectivity issues.
 
Note:
The VLAN interface must be free of references and must not have any IP addresses to be added under the software switch.
 

Related articles:

Technical Tip: Software switch policy.

Technical Tip: Verifying physical and HA virtual MAC addresses of FortiGate interfaces.

Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111