FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Description


This article describes how to configure VXLAN over IPsec for multiple VLANs.


Solution

 

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments.
It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789.
 
 
 
1) WAN interface configuration.
 
This configuration is focused on how to configure two or more VLANs which can be used with VXLAN to extend the Layer2 connectivity across two different locations. 
 
 
 
 
2) Make sure that connectivity between both FortiGate’s is working in to bring the IPsec tunnel up.
 
3) Configuring IPsec VPN tunnel.
 

FGT1

FGT2

 

Phase1 config:

 

config vpn ipsec phase1-interface

    edit "ipsec"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set remote-gw 1.1.1.2

        set psksecret xx

    next

end

 

Phase2 config:

 

config vpn ipsec phase2-interface

    edit "ipsec"

        set phase1name "ipsec"

        set proposal aes256-sha1

        set auto-negotiate enable

    next

end

 

Tunnel interface config:

 

config system interface

    edit "ipsec"

        set vdom "root"

        set ip 2.2.2.2 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 2.2.2.1 255.255.255.252

        set snmp-index 20

        set interface "wan1"

    next

 

Phase1 config:

 

config vpn ipsec phase1-interface

    edit "ipsec"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes256-sha1

        set remote-gw 1.1.1.1

        set psksecret xx

    next

end

 

Phase2 config:

 

config vpn ipsec phase2-interface

    edit "ipsec"

        set phase1name "ipsec"

        set proposal aes256-sha1

        set auto-negotiate enable

    next

end

 

Tunnel interface config:

 

config system interface

    edit "ipsec"

        set vdom "root"

        set ip 2.2.2.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 2.2.2.2 255.255.255.252

        set snmp-index 20

        set interface "wan1"

    next

 
 
 
4) This configuration will bring the IPsec tunnel up. Verify it as well. 
 
5) Configure VLAN interfaces.
 
 
 
 
6) Configure VXLAN interfaces for both VLANs.
 
 
 
 
7) Configure software switch-interface: 
 
 
 
 
8) Test the connectivity by pinging client connected to VLAN50 on 'SW1' towards the client connected on vlan50 on 'SW2'. Also test the connectivity from client connected on VLAN50 on 'SW2' towards client connecting on VLAN50 on 'SW1'. 
 
9) Repeat the same test for client in VLAN60.
 
10) In this setup, no firewall policies would be required. The reason for this is the option 'set intra-switch-policy implicit' configured under 'config system switch-interface' for both VLANs. 
 
11) If there is a requirement to use firewall policies, this option needs to be changed. 
 

Related Articles

 

Technical Tip: Software switch policy

Contributors