Description
This article describes how to configure VXLAN over IPsec for multiple VLANs.
Scope
FortiGate.
Solution
- WAN interface configuration.
This configuration is focused on how to configure two or more VLANs which can be used with VXLAN to extend the Layer2 connectivity across two different locations.
- Make sure that connectivity between both FortiGates is working to bring the IPsec tunnel up.
- Configuring IPsec VPN tunnel:
| FGT1: | FGT2: |
|
Phase1 config:
config vpn ipsec phase1-interface edit "ipsec" set interface "wan1" set peertype any set net-device disable set proposal aes256-sha1 set remote-gw 1.1.1.2 set psksecret xx next end
Phase2 config:
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal aes256-sha1 set auto-negotiate enable next end
Tunnel interface config:
config system interface edit "ipsec" set vdom "root" set ip 2.2.2.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 2.2.2.1 255.255.255.252 set snmp-index 20 set interface "wan1" next |
Phase1 config:
config vpn ipsec phase1-interface edit "ipsec" set interface "wan1" set peertype any set net-device disable set proposal aes256-sha1 set remote-gw 1.1.1.1 set psksecret xx next end
Phase2 config:
config vpn ipsec phase2-interface edit "ipsec" set phase1name "ipsec" set proposal aes256-sha1 set auto-negotiate enable next end
Tunnel interface config:
config system interface edit "ipsec" set vdom "root" set ip 2.2.2.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 2.2.2.2 255.255.255.252 set snmp-index 20 set interface "wan1" next |
- This configuration will bring the IPsec tunnel up. Verify it as well.
It may be required to create a policy from the interface 'ipsec' to 'ipsec' so the tunnel can go up (tested in FortiOS v7.0.11).
set srcintf "ipsec"
set dstintf "ipsec"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
- Configure VLAN interfaces.
- Configure VXLAN interfaces for both VLANs.
- Configure the software switch interface:
- Test the connectivity by pinging the client connected to VLAN50 on 'SW1' towards the client connected to vlan50 on 'SW2'. Also, test the connectivity from the client connected on VLAN50 on 'SW2' towards the client connected on VLAN50 on 'SW1'.
- Repeat the same test for the client in VLAN60.
- In this setup, no firewall policies would be required. The reason for this is the option 'set intra-switch-policy implicit' configured under 'config system switch-interface' for both VLANs. With intra-switch-policy implicit, it is needed to expect some limitations. More information can be found in Technical Tip: Software switch and intra-switch-policy.
- If there is a requirement to use firewall policies, this option needs to be changed.
- Do not configure VLAN1 in the FortiGate as it is not recommended, and FortiGate uses VLAN1 for internal communication between FortiGate and FortiSwitch.
- The following article discusses how to bridge two different LANs (not VLANs) using VXLAN over IPsec: VXLAN over IPSEC to link local LANs.
- If both FortiGates are in an HA pair, change the HA group-id for any one cluster. When FortiGates are in a cluster, they will use virtual MAC addresses. Switch interfaces on both sides can have the same virtual MAC address, which will result in connectivity issues.
- The VLAN interface must be free of references and must not have any IP addresses to be added under the software switch.
- The hosts must have a single gateway or it will prevent inter-VXLAN traffic from working properly if hosts on Site A have the gateway of the software switch from Site A, while hosts on Site B have the gateway of the software switch from Site B.
Related articles:
